From 4a5d4a2bac94a83826f670776a0b43cb26a0caaa Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Tue, 21 Sep 2021 12:12:34 +0530 Subject: [PATCH 01/50] debugging Signed-off-by: NoSkillGirl --- pkg/engine/validate/utils.go | 6 + pkg/engine/validate/validate.go | 12 +- pkg/engine/validate/validate_test.go | 263 ++++++++++++++------------- 3 files changed, 149 insertions(+), 132 deletions(-) diff --git a/pkg/engine/validate/utils.go b/pkg/engine/validate/utils.go index 6d087acd65..5bfcefd641 100644 --- a/pkg/engine/validate/utils.go +++ b/pkg/engine/validate/utils.go @@ -2,6 +2,7 @@ package validate import ( "container/list" + "fmt" commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor/common" ) @@ -34,11 +35,16 @@ func hasNestedAnchors(pattern interface{}) bool { // getSortedNestedAnchorResource - sorts anchors key func getSortedNestedAnchorResource(resources map[string]interface{}) *list.List { sortedResourceKeys := list.New() + fmt.Println("\n-----------getSortedNestedAnchorResource------------") + fmt.Println("resources: ", resources) for k, v := range resources { + fmt.Println("k: ", k, " v:", v) if hasNestedAnchors(v) { sortedResourceKeys.PushFront(k) + fmt.Println("PushFront") } else { sortedResourceKeys.PushBack(k) + fmt.Println("PushBack") } } return sortedResourceKeys diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index cd109500ba..31317b6b8e 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -36,6 +36,11 @@ func ValidateResourceWithPattern(logger logr.Logger, resource, pattern interface // and calls corresponding handler // Pattern tree and resource tree can have different structure. In this case validation fails func validateResourceElement(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string, ac *common.AnchorKey) (string, error) { + fmt.Println("\n---------------validateResourceElement--------------") + fmt.Println("resourceElement: ", resourceElement) + fmt.Println("patternElement: ", patternElement) + fmt.Println("originPattern: ", originPattern) + fmt.Println("path: ", path) switch typedPatternElement := patternElement.(type) { // map case map[string]interface{}: @@ -83,7 +88,11 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o // If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap // For each element of the map we must detect the type again, so we pass these elements to validateResourceElement func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string, ac *common.AnchorKey) (string, error) { - + fmt.Println("\n-------------validateMap----------------") + fmt.Println("resourceMap: ", resourceMap) + fmt.Println("patternMap: ", patternMap) + fmt.Println("origPattern: ", origPattern) + fmt.Println("path: ", path) patternMap = wildcards.ExpandInMetadata(patternMap, resourceMap) // check if there is anchor in pattern // Phase 1 : Evaluate all the anchors @@ -112,6 +121,7 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{} sortedResourceKeys := getSortedNestedAnchorResource(resources) for e := sortedResourceKeys.Front(); e != nil; e = e.Next() { key := e.Value.(string) + fmt.Println("key picked: ", key) handler := anchor.CreateElementHandler(key, resources[key], path) handlerPath, err := handler.Handle(validateResourceElement, resourceMap, origPattern, ac) if err != nil { diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 89baba0883..bda86e5235 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1371,143 +1371,144 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { resource []byte nilErr bool }{ + // { + // name: "test-1", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-2", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-x", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "!*:* | *:latest","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-3", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, { - name: "test-1", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, - { - name: "test-2", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-x", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "!*:* | *:latest","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-3", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, { name: "check global anchor", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), nilErr: true, }, - { - name: "test-4", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), - nilErr: true, - }, - { - name: "test-5", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), - nilErr: true, - }, - { - name: "test-6", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), - nilErr: true, - }, - { - name: "test-7", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-8", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-9", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, - { - name: "test-10", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, - { - name: "test-11", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, - { - name: "test-12", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, - { - name: "test-13", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-14", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-15", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, - { - name: "test-16", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), - nilErr: true, - }, - { - name: "test-17", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), - nilErr: true, - }, - { - name: "test-18", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), - nilErr: true, - }, - { - name: "test-19", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-20", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:latest", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, - { - name: "test-21", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.2.3", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), - nilErr: true, - }, + // { + // name: "test-4", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-5", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-6", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-7", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-8", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-9", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-10", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-11", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-12", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-13", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-14", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-15", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-16", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-17", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-18", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), + // nilErr: true, + // }, + // { + // name: "test-19", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-20", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:latest", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + // nilErr: false, + // }, + // { + // name: "test-21", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.2.3", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), + // nilErr: true, + // }, } for _, testCase := range testCases { From aba3bad8fc888533549edbf0e6462d459bd882af Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Tue, 21 Sep 2021 20:15:09 +0530 Subject: [PATCH 02/50] adding logic for checking key in resources Signed-off-by: NoSkillGirl --- pkg/engine/validate/utils.go | 9 +- pkg/engine/validate/validate_test.go | 263 +++++++++++++-------------- 2 files changed, 139 insertions(+), 133 deletions(-) diff --git a/pkg/engine/validate/utils.go b/pkg/engine/validate/utils.go index 5bfcefd641..c3b684d459 100644 --- a/pkg/engine/validate/utils.go +++ b/pkg/engine/validate/utils.go @@ -11,6 +11,7 @@ import ( func hasNestedAnchors(pattern interface{}) bool { switch typed := pattern.(type) { case map[string]interface{}: + fmt.Println("map[string]interface{}......") if anchors := getAnchorsFromMap(typed); len(anchors) > 0 { return true } @@ -21,6 +22,7 @@ func hasNestedAnchors(pattern interface{}) bool { } return false case []interface{}: + fmt.Println("[]interface{}......") for _, value := range typed { if hasNestedAnchors(value) { return true @@ -28,6 +30,7 @@ func hasNestedAnchors(pattern interface{}) bool { } return false default: + fmt.Println("default......") return false } } @@ -39,6 +42,10 @@ func getSortedNestedAnchorResource(resources map[string]interface{}) *list.List fmt.Println("resources: ", resources) for k, v := range resources { fmt.Println("k: ", k, " v:", v) + if commonAnchors.IsConditionAnchor(k) || commonAnchors.IsExistenceAnchor(k) || commonAnchors.IsEqualityAnchor(k) || commonAnchors.IsNegationAnchor(k) || commonAnchors.IsGlobalAnchor(k) { + sortedResourceKeys.PushFront(k) + continue + } if hasNestedAnchors(v) { sortedResourceKeys.PushFront(k) fmt.Println("PushFront") @@ -54,7 +61,7 @@ func getSortedNestedAnchorResource(resources map[string]interface{}) *list.List func getAnchorsFromMap(anchorsMap map[string]interface{}) map[string]interface{} { result := make(map[string]interface{}) for key, value := range anchorsMap { - if commonAnchors.IsConditionAnchor(key) || commonAnchors.IsExistenceAnchor(key) || commonAnchors.IsEqualityAnchor(key) || commonAnchors.IsNegationAnchor(key) { + if commonAnchors.IsConditionAnchor(key) || commonAnchors.IsExistenceAnchor(key) || commonAnchors.IsEqualityAnchor(key) || commonAnchors.IsNegationAnchor(key) || commonAnchors.IsGlobalAnchor(key) { result[key] = value } } diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index bda86e5235..89baba0883 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1371,144 +1371,143 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { resource []byte nilErr bool }{ - // { - // name: "test-1", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-2", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-x", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "!*:* | *:latest","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-3", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, { + name: "test-1", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-2", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-x", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "!*:* | *:latest","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-3", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, { name: "check global anchor", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), nilErr: true, }, - // { - // name: "test-4", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-5", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-6", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-7", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-8", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-9", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-10", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-11", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-12", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-13", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-14", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-15", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-16", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-17", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-18", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), - // nilErr: true, - // }, - // { - // name: "test-19", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-20", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:latest", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - // nilErr: false, - // }, - // { - // name: "test-21", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), - // resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.2.3", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), - // nilErr: true, - // }, + { + name: "test-4", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), + nilErr: true, + }, + { + name: "test-5", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), + nilErr: true, + }, + { + name: "test-6", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), + nilErr: true, + }, + { + name: "test-7", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-8", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-9", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-10", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-11", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-12", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"},{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-13", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-14", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-15", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-16", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Never"}]}}`), + nilErr: true, + }, + { + name: "test-17", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Never"}]}}`), + nilErr: true, + }, + { + name: "test-18", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.28", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Never"}]}}`), + nilErr: true, + }, + { + name: "test-19", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-20", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:latest", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-21", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.2.3", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, } for _, testCase := range testCases { From d6e977a34d8ef5ed950686314cfad1c14673735e Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Wed, 22 Sep 2021 01:51:57 +0530 Subject: [PATCH 03/50] updated logic for key in resources Signed-off-by: NoSkillGirl --- pkg/engine/validate/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/validate/utils.go b/pkg/engine/validate/utils.go index c3b684d459..cd53eaa58d 100644 --- a/pkg/engine/validate/utils.go +++ b/pkg/engine/validate/utils.go @@ -42,7 +42,7 @@ func getSortedNestedAnchorResource(resources map[string]interface{}) *list.List fmt.Println("resources: ", resources) for k, v := range resources { fmt.Println("k: ", k, " v:", v) - if commonAnchors.IsConditionAnchor(k) || commonAnchors.IsExistenceAnchor(k) || commonAnchors.IsEqualityAnchor(k) || commonAnchors.IsNegationAnchor(k) || commonAnchors.IsGlobalAnchor(k) { + if commonAnchors.IsGlobalAnchor(k) { sortedResourceKeys.PushFront(k) continue } From 799ae0f80d40f5358f6c8c5b6dd4e48142dbd576 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Wed, 22 Sep 2021 14:33:59 +0530 Subject: [PATCH 04/50] added test cases Signed-off-by: NoSkillGirl --- pkg/engine/validate/validate_test.go | 59 ++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 11 deletions(-) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 89baba0883..4eaeda6309 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1383,22 +1383,11 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), nilErr: false, }, - { - name: "test-x", - pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "!*:* | *:latest","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), - nilErr: false, - }, { name: "test-3", pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), nilErr: false, - }, { - name: "check global anchor", - pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - nilErr: true, }, { name: "test-4", @@ -1508,6 +1497,54 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { resource: []byte(`{"spec": {"containers": [{"name": "busybox","image": "busybox:1.2.3", "imagePullPolicy": "Always"},{"name": "nginx","image": "nginx:1.2.3", "imagePullPolicy": "Always"}]}}`), nilErr: true, }, + { + name: "test-22", + pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "!*:* | *:latest","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-23", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-24", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-25", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo1", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-26", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + { + name: "test-27", + pattern: []byte(`{"spec": {"containers": [{"name": "*", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo1", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "test-28", + pattern: []byte(`{"spec": {"containers": [{"name": "*", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + // { + // name: "test-29", + // pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest"}],"=(volumes)": [{"=(hostPath)": {"path": "!/var/run/docker.sock"}}]}}`), + // resource: []byte(`{"spec": {"containers": [{"image": "nginx","name": "nginx","volumeMounts": [{"mountPath": "/test-pd","name": "test-volume"}]}],"volumes": [{"name": "test-volume","hostPath": {"path": "/var/run/docker.sock","type": "Directory"}}]}}`), + // nilErr: true, + // }, } for _, testCase := range testCases { From f9c789967ce548f1fc2bfada63ba235de1171a6a Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Thu, 23 Sep 2021 15:01:34 +0530 Subject: [PATCH 05/50] added test cases Signed-off-by: NoSkillGirl --- pkg/engine/validate/validate_test.go | 30 +++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 4eaeda6309..af673e7083 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1539,12 +1539,36 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), nilErr: false, }, + { + name: "test-29", + pattern: []byte(`{"metadata": {"<(name)": "nginx"},"spec": {"imagePullSecrets": [{"name": "regcred"}]}}`), + resource: []byte(`{"metadata": {"name": "somename"},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}], "imagePullSecrets": [{"name": "cred"}]}}`), + nilErr: true, + }, + { + name: "test-30", + pattern: []byte(`{"metadata": {"<(name)": "nginx"},"spec": {"imagePullSecrets": [{"name": "regcred"}]}}`), + resource: []byte(`{"metadata": {"name": "nginx"},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}], "imagePullSecrets": [{"name": "cred"}]}}`), + nilErr: false, + }, // { - // name: "test-29", - // pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest"}],"=(volumes)": [{"=(hostPath)": {"path": "!/var/run/docker.sock"}}]}}`), - // resource: []byte(`{"spec": {"containers": [{"image": "nginx","name": "nginx","volumeMounts": [{"mountPath": "/test-pd","name": "test-volume"}]}],"volumes": [{"name": "test-volume","hostPath": {"path": "/var/run/docker.sock","type": "Directory"}}]}}`), + // name: "test-31", + // pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), + // resource: []byte(`{"metadata": {"name": "nginx1","labels": {"foo1": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}]}}`), // nilErr: true, // }, + { + name: "test-32", + pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), + resource: []byte(`{"metadata": {"name": "nginx","labels": {"foo": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx"}]}}`), + nilErr: true, + }, + { + name: "test-33", + pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), + resource: []byte(`{"metadata": {"name": "nginx","labels": {"foo": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}]}}`), + nilErr: false, + }, } for _, testCase := range testCases { From 6672a0caa374e9c1c125636f5199aa8071be772b Mon Sep 17 00:00:00 2001 From: Pooja Singh Date: Fri, 24 Sep 2021 23:06:50 +0530 Subject: [PATCH 06/50] update the GR while deletion to enqueue in cleanup (#2429) Signed-off-by: NoSkillGirl --- pkg/webhooks/generation.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 4c357e45a2..d208a3569a 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -384,7 +384,7 @@ func (ws *WebhookServer) handleDelete(request *v1beta1.AdmissionRequest) { } resLabels := resource.GetLabels() - if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && resLabels["policy.kyverno.io/synchronize"] == "enable" && request.Operation == v1beta1.Delete { + if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && request.Operation == v1beta1.Delete { grName := resLabels["policy.kyverno.io/gr-name"] gr, err := ws.grLister.Get(grName) if err != nil { From 63f5c09297d0cbf292a74d2e2913d3ed4ec92328 Mon Sep 17 00:00:00 2001 From: Naman Lakhwani Date: Fri, 24 Sep 2021 23:52:57 +0530 Subject: [PATCH 07/50] NetworkPolicy: `from` should be an array of objects (#2423) --- charts/kyverno/templates/networkpolicy.yaml | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/charts/kyverno/templates/networkpolicy.yaml b/charts/kyverno/templates/networkpolicy.yaml index 71c8e15cec..6c79e02ac5 100644 --- a/charts/kyverno/templates/networkpolicy.yaml +++ b/charts/kyverno/templates/networkpolicy.yaml @@ -15,20 +15,20 @@ spec: ingress: - from: {{- with .Values.networkPolicy }} - namespaceSelector: - matchExpressions: - {{- toYaml .namespaceExpressions | nindent 8 }} - matchLabels: - {{- range $key, $value := .namespaceLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} - podSelector: - matchExpressions: - {{- toYaml .podExpressions | nindent 8 }} - matchLabels: - {{- range $key, $value := .podLabels }} - {{ $key | quote }}: {{ $value | quote }} - {{- end }} + - namespaceSelector: + matchExpressions: + {{- toYaml .namespaceExpressions | nindent 10 }} + matchLabels: + {{- range $key, $value := .namespaceLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + podSelector: + matchExpressions: + {{- toYaml .podExpressions | nindent 10 }} + matchLabels: + {{- range $key, $value := .podLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} {{- end }} ports: - protocol: TCP From 39061d91c44e383d326a2073d79c4ec8e570a7be Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 26 Sep 2021 02:12:31 -0700 Subject: [PATCH 08/50] implement validate.foreach Signed-off-by: Jim Bugwadia --- go.mod | 1 + go.sum | 11 + pkg/api/kyverno/v1/policy_types.go | 35 ++ pkg/engine/common/anchorKey.go | 2 +- pkg/engine/context/context.go | 38 +- pkg/engine/context/context_test.go | 2 +- pkg/engine/forceMutate.go | 7 +- pkg/engine/generation.go | 4 +- pkg/engine/imageVerify.go | 6 +- pkg/engine/mutate/mutation.go | 2 +- pkg/engine/mutate/overlay.go | 18 +- pkg/engine/mutate/patchJson6902.go | 10 +- pkg/engine/mutate/patchJson6902_test.go | 3 +- pkg/engine/mutate/patches.go | 8 +- pkg/engine/mutate/patches_test.go | 19 +- pkg/engine/mutate/strategicMergePatch.go | 12 +- pkg/engine/mutate/strategicPreprocessing.go | 3 +- pkg/engine/mutation.go | 8 +- pkg/engine/response/response.go | 32 +- pkg/engine/response/status.go | 68 +++ pkg/engine/utils.go | 3 +- pkg/engine/validate/common.go | 9 + pkg/engine/validate/validate.go | 15 +- pkg/engine/validate/validate_test.go | 2 +- pkg/engine/validation.go | 529 ++++++++++++------ pkg/engine/validation_test.go | 37 +- pkg/engine/variables/vars.go | 119 ++-- pkg/generate/generate.go | 3 +- pkg/kyverno/common/common.go | 6 +- .../policyExecutionDuration.go | 2 +- pkg/metrics/policyresults/policyResults.go | 2 +- pkg/policy/apply.go | 2 +- pkg/policy/report.go | 2 +- pkg/policyreport/builder.go | 2 +- pkg/testrunner/scenario.go | 4 +- pkg/webhooks/annotations_test.go | 21 +- pkg/webhooks/common.go | 4 +- pkg/webhooks/generation.go | 2 +- test/e2e/mutate/mutate_test.go | 2 +- 39 files changed, 712 insertions(+), 343 deletions(-) create mode 100644 pkg/engine/response/status.go diff --git a/go.mod b/go.mod index ffb2930a88..ded405871c 100644 --- a/go.mod +++ b/go.mod @@ -29,6 +29,7 @@ require ( github.com/onsi/ginkgo v1.15.0 github.com/onsi/gomega v1.11.0 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 + github.com/ory/go-acc v0.2.6 // indirect github.com/patrickmn/go-cache v2.1.0+incompatible github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.11.0 diff --git a/go.sum b/go.sum index 2d39faab20..955fd86e40 100644 --- a/go.sum +++ b/go.sum @@ -481,8 +481,12 @@ github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0/go.mod h1:J70FGZSbzsjecRTiTzER+ github.com/denisenkom/go-mssqldb v0.9.0/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU= github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= github.com/devigned/tab v0.1.1/go.mod h1:XG9mPq0dFghrYvoBF3xdRrJzSTX1b7IQrvaL9mzjeJY= +github.com/dgraph-io/ristretto v0.0.1/go.mod h1:T40EBc7CJke8TkpiYfGGKAeFjSaxuFXhuXRyumBd6RE= +github.com/dgraph-io/ristretto v0.0.2 h1:a5WaUrDa0qm0YrAAS1tUykT5El3kt62KNZZeMxQn3po= +github.com/dgraph-io/ristretto v0.0.2/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E= github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= @@ -1388,6 +1392,10 @@ github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnh github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw= github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI= +github.com/ory/go-acc v0.2.6 h1:YfI+L9dxI7QCtWn2RbawqO0vXhiThdXu/RgizJBbaq0= +github.com/ory/go-acc v0.2.6/go.mod h1:4Kb/UnPcT8qRAk3IAxta+hvVapdxTLWtrr7bFLlEgpw= +github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE= +github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= @@ -1399,12 +1407,14 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= github.com/pborman/getopt v0.0.0-20180729010549-6fdd0a2c7117/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= +github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= +github.com/pelletier/go-toml v1.8.0/go.mod h1:D6yutnOGMveHEPV7VQOuvI/gXY61bv+9bAOTRnLElKs= github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc= github.com/pelletier/go-toml v1.9.3 h1:zeC5b1GviRUyKYd6OJPvBU/mcVDVoL1OhT17FCt5dSQ= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= @@ -1849,6 +1859,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 225e9441dc..c4e1e14742 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -398,6 +398,8 @@ type Validation struct { // +optional Message string `json:"message,omitempty" yaml:"message,omitempty"` + ForEachValidation *ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"` + // Pattern specifies an overlay-style pattern used to check resources. // +kubebuilder:validation:XPreserveUnknownFields // +optional @@ -424,6 +426,39 @@ type Deny struct { AnyAllConditions apiextensions.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"` } +type ForEachValidation struct { + + // List specifies a JMESPath expression that results in one or more elements + // to which the validation logic is applied. + List string `json:"list,omitempty" yaml:"list,omitempty"` + + // Context defines variables and data sources that can be used during rule execution. + // +optional + Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"` + + // Preconditions are used to determine if a policy rule should be applied by evaluating a + // set of conditions. The declaration can contain nested `any` or `all` statements. + // See: https://kyverno.io/docs/writing-policies/preconditions/ + // +kubebuilder:validation:XPreserveUnknownFields + // +optional + AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` + + // Pattern specifies an overlay-style pattern used to check resources. + // +kubebuilder:validation:XPreserveUnknownFields + // +optional + Pattern apiextensions.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"` + + // AnyPattern specifies list of validation patterns. At least one of the patterns + // must be satisfied for the validation rule to succeed. + // +kubebuilder:validation:XPreserveUnknownFields + // +optional + AnyPattern apiextensions.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"` + + // Deny defines conditions used to pass or fail a validation rule. + // +optional + Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"` +} + // ImageVerification validates that images that match the specified pattern // are signed with the supplied public key. Once the image is verified it is // mutated to include the SHA digest retrieved during the registration. diff --git a/pkg/engine/common/anchorKey.go b/pkg/engine/common/anchorKey.go index a1207a5a92..6e1e92e13d 100644 --- a/pkg/engine/common/anchorKey.go +++ b/pkg/engine/common/anchorKey.go @@ -16,7 +16,7 @@ func IsConditionalAnchorError(msg string) bool { return false } -// IsGlobalAnchorError checks if error message has conditional anchor error string +// IsGlobalAnchorError checks if error message has global anchor error string func IsGlobalAnchorError(msg string) bool { return strings.Contains(msg, GlobalAnchorErrMsg) } diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go index b5abce1289..4df504a047 100644 --- a/pkg/engine/context/context.go +++ b/pkg/engine/context/context.go @@ -55,7 +55,7 @@ type EvalInterface interface { type Context struct { mutex sync.RWMutex jsonRaw []byte - jsonRawCheckpoint []byte + jsonRawCheckpoints [][]byte builtInVars []string images *Images log logr.Logger @@ -68,6 +68,7 @@ func NewContext(builtInVars ...string) *Context { jsonRaw: []byte(`{}`), // empty json struct builtInVars: builtInVars, log: log.Log.WithName("context"), + jsonRawCheckpoints: make([][]byte, 0), } return &ctx @@ -306,28 +307,45 @@ func (ctx *Context) ImageInfo() *Images { return ctx.images } -// Checkpoint creates a copy of the internal state. -// Prior checkpoints will be overridden. +// Checkpoint creates a copy of the current internal state and +// pushes it into a stack of stored states. func (ctx *Context) Checkpoint() { ctx.mutex.Lock() defer ctx.mutex.Unlock() - ctx.jsonRawCheckpoint = make([]byte, len(ctx.jsonRaw)) - copy(ctx.jsonRawCheckpoint, ctx.jsonRaw) + jsonRawCheckpoint := make([]byte, len(ctx.jsonRaw)) + copy(jsonRawCheckpoint, ctx.jsonRaw) + + ctx.jsonRawCheckpoints = append(ctx.jsonRawCheckpoints, jsonRawCheckpoint) } -// Restore restores internal state from a prior checkpoint, if one exists. -// If a prior checkpoint does not exist, the state will not be changed. +// Restore sets the internal state to the last checkpoint, and removes the checkpoint. func (ctx *Context) Restore() { + ctx.reset(true) +} + +// Reset sets the internal state to the last checkpoint, but does not remove the checkpoint. +func (ctx *Context) Reset() { + ctx.reset(false) +} + +func (ctx *Context) reset(remove bool) { ctx.mutex.Lock() defer ctx.mutex.Unlock() - if ctx.jsonRawCheckpoint == nil || len(ctx.jsonRawCheckpoint) == 0 { + if len(ctx.jsonRawCheckpoints) == 0 { return } - ctx.jsonRaw = make([]byte, len(ctx.jsonRawCheckpoint)) - copy(ctx.jsonRaw, ctx.jsonRawCheckpoint) + n := len(ctx.jsonRawCheckpoints) - 1 + jsonRawCheckpoint := ctx.jsonRawCheckpoints[n] + + ctx.jsonRaw = make([]byte, len(jsonRawCheckpoint)) + copy(ctx.jsonRaw, jsonRawCheckpoint) + + if remove { + ctx.jsonRawCheckpoints = ctx.jsonRawCheckpoints[:n] + } } // AddBuiltInVars adds given pattern to the builtInVars diff --git a/pkg/engine/context/context_test.go b/pkg/engine/context/context_test.go index bc79a836e3..10ffb8a13c 100644 --- a/pkg/engine/context/context_test.go +++ b/pkg/engine/context/context_test.go @@ -115,6 +115,6 @@ func Test_addResourceAndUserContext(t *testing.T) { expectedResult = "nirmata" t.Log(result) if !reflect.DeepEqual(expectedResult, result) { - t.Error("exected result does not match") + t.Error("expected result does not match") } } diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go index ee4bb90295..8a212bead4 100644 --- a/pkg/engine/forceMutate.go +++ b/pkg/engine/forceMutate.go @@ -83,7 +83,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour if rule.Mutation.Patches != nil { var resp response.RuleResponse resp, resource = mutate.ProcessPatches(logger.WithValues("rule", rule.Name), rule.Name, rule.Mutation, resource) - if !resp.Success { + if resp.Status != response.RuleStatusPass { return unstructured.Unstructured{}, fmt.Errorf(resp.Message) } } @@ -91,7 +91,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour if rule.Mutation.PatchStrategicMerge != nil { var resp response.RuleResponse resp, resource = mutate.ProcessStrategicMergePatch(rule.Name, rule.Mutation.PatchStrategicMerge, resource, logger.WithValues("rule", rule.Name)) - if !resp.Success { + if resp.Status != response.RuleStatusPass { return unstructured.Unstructured{}, fmt.Errorf(resp.Message) } } @@ -104,11 +104,10 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour } resp, resource = mutate.ProcessPatchJSON6902(rule.Name, jsonPatches, resource, logger.WithValues("rule", rule.Name)) - if !resp.Success { + if resp.Status != response.RuleStatusPass { return unstructured.Unstructured{}, fmt.Errorf(resp.Message) } } - } return resource, nil diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 6750977404..8df53e34a2 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -82,7 +82,7 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR return &response.RuleResponse{ Name: rule.Name, Type: "Generation", - Success: false, + Status: response.RuleStatusFail, RuleStats: response.RuleStats{ ProcessingTime: time.Since(startTime), RuleExecutionTimestamp: startTime.Unix(), @@ -125,7 +125,7 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR return &response.RuleResponse{ Name: ruleCopy.Name, Type: "Generation", - Success: true, + Status: response.RuleStatusPass, RuleStats: response.RuleStats{ ProcessingTime: time.Since(startTime), RuleExecutionTimestamp: startTime.Unix(), diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index 6ecb1e4b6b..6c1b522bb5 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -34,7 +34,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe startTime := time.Now() defer func() { - buildResponse(logger, policyContext, resp, startTime) + buildResponse(policyContext, resp, startTime) logger.V(4).Info("finished policy processing", "processingTime", resp.PolicyResponse.ProcessingTime.String(), "rulesApplied", resp.PolicyResponse.RulesAppliedCount) }() @@ -91,11 +91,11 @@ func verifyAndPatchImages(logger logr.Logger, policyContext *PolicyContext, rule digest, err := cosign.Verify(image, []byte(key), logger) if err != nil { logger.Info("failed to verify image", "image", image, "key", key, "error", err, "duration", time.Since(start).Seconds()) - ruleResp.Success = false + ruleResp.Status = response.RuleStatusFail ruleResp.Message = fmt.Sprintf("image verification failed for %s: %v", image, err) } else { logger.V(3).Info("verified image", "image", image, "digest", digest, "duration", time.Since(start).Seconds()) - ruleResp.Success = true + ruleResp.Status = response.RuleStatusPass ruleResp.Message = fmt.Sprintf("image %s verified", image) // add digest to image diff --git a/pkg/engine/mutate/mutation.go b/pkg/engine/mutate/mutation.go index 5e403f16a5..067355c573 100644 --- a/pkg/engine/mutate/mutation.go +++ b/pkg/engine/mutate/mutation.go @@ -101,7 +101,7 @@ func (h patchesJSON6902Handler) Handle() (resp response.RuleResponse, patchedRes patchesJSON6902, err := convertPatchesToJSON(h.mutation.PatchesJSON6902) if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail h.logger.Error(err, "error in type conversion") resp.Message = err.Error() return resp, h.patchedResource diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go index 2c9bb5a3a0..766a902a31 100644 --- a/pkg/engine/mutate/overlay.go +++ b/pkg/engine/mutate/overlay.go @@ -38,25 +38,25 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou case conditionNotPresent: logger.V(3).Info("skip applying rule", "reason", "conditionNotPresent") - resp.Success = true + resp.Status = response.RuleStatusPass return resp, resource case conditionFailure: logger.V(3).Info("skip applying rule", "reason", "conditionFailure") //TODO: send zero response and not consider this as applied? - resp.Success = true + resp.Status = response.RuleStatusPass resp.Message = overlayerr.ErrorMsg() return resp, resource case overlayFailure: logger.Info("failed to process overlay") - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to process overlay: %v", overlayerr.ErrorMsg()) return resp, resource default: logger.Info("failed to process overlay") - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("Unknown type of error: %v", overlayerr.Error()) return resp, resource } @@ -64,14 +64,14 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou logger.V(4).Info("processing overlay rule", "patches", len(patches)) if len(patches) == 0 { - resp.Success = true + resp.Status = response.RuleStatusPass return resp, resource } // convert to RAW resourceRaw, err := resource.MarshalJSON() if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource @@ -82,7 +82,7 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou patchResource, err = utils.ApplyPatches(resourceRaw, patches) if err != nil { msg := fmt.Sprintf("failed to apply JSON patches: %v", err) - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = msg return resp, resource } @@ -91,13 +91,13 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou err = patchedResource.UnmarshalJSON(patchResource) if err != nil { logger.Error(err, "failed to unmarshal resource") - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource } // rule application successfully - resp.Success = true + resp.Status = response.RuleStatusPass resp.Message = fmt.Sprintf("successfully processed overlay") resp.Patches = patches diff --git a/pkg/engine/mutate/patchJson6902.go b/pkg/engine/mutate/patchJson6902.go index f4bce5d180..5b62a1c9f7 100644 --- a/pkg/engine/mutate/patchJson6902.go +++ b/pkg/engine/mutate/patchJson6902.go @@ -27,7 +27,7 @@ func ProcessPatchJSON6902(ruleName string, patchesJSON6902 []byte, resource unst resourceRaw, err := resource.MarshalJSON() if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to marshal resource: %v", err) return resp, resource @@ -35,7 +35,7 @@ func ProcessPatchJSON6902(ruleName string, patchesJSON6902 []byte, resource unst patchedResourceRaw, err := applyPatchesWithOptions(resourceRaw, patchesJSON6902) if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "unable to apply RFC 6902 patches") resp.Message = fmt.Sprintf("unable to apply RFC 6902 patches: %v", err) return resp, resource @@ -43,7 +43,7 @@ func ProcessPatchJSON6902(ruleName string, patchesJSON6902 []byte, resource unst patchesBytes, err := generatePatches(resourceRaw, patchedResourceRaw) if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "unable generate patch bytes from base and patched document, apply patchesJSON6902 directly") resp.Message = fmt.Sprintf("unable generate patch bytes from base and patched document, apply patchesJSON6902 directly: %v", err) return resp, resource @@ -56,12 +56,12 @@ func ProcessPatchJSON6902(ruleName string, patchesJSON6902 []byte, resource unst err = patchedResource.UnmarshalJSON(patchedResourceRaw) if err != nil { logger.Error(err, "failed to unmarshal resource") - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to unmarshal resource: %v", err) return resp, resource } - resp.Success = true + resp.Status = response.RuleStatusPass resp.Message = fmt.Sprintf("successfully process JSON6902 patches") resp.Patches = patchesBytes return resp, patchedResource diff --git a/pkg/engine/mutate/patchJson6902_test.go b/pkg/engine/mutate/patchJson6902_test.go index 7c22249fc8..94baf483d7 100644 --- a/pkg/engine/mutate/patchJson6902_test.go +++ b/pkg/engine/mutate/patchJson6902_test.go @@ -2,6 +2,7 @@ package mutate import ( "fmt" + "github.com/kyverno/kyverno/pkg/engine/response" "testing" "github.com/ghodss/yaml" @@ -50,7 +51,7 @@ func TestTypeConversion(t *testing.T) { assert.Nil(t, err) // apply patches resp, _ := ProcessPatchJSON6902("type-conversion", jsonPatches, resource, log.Log) - if !assert.Equal(t, true, resp.Success) { + if !assert.Equal(t, response.RuleStatusPass, resp.Status) { t.Fatal(resp.Message) } diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go index 655afa04b7..4685ab9a64 100644 --- a/pkg/engine/mutate/patches.go +++ b/pkg/engine/mutate/patches.go @@ -35,7 +35,7 @@ func ProcessPatches(log logr.Logger, ruleName string, mutation kyverno.Mutation, // convert to RAW resourceRaw, err := resource.MarshalJSON() if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource @@ -67,7 +67,7 @@ func ProcessPatches(log logr.Logger, ruleName string, mutation kyverno.Mutation, // error while processing JSON patches if len(errs) > 0 { - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to process JSON patches: %v", func() string { var str []string for _, err := range errs { @@ -80,13 +80,13 @@ func ProcessPatches(log logr.Logger, ruleName string, mutation kyverno.Mutation, err = patchedResource.UnmarshalJSON(resourceRaw) if err != nil { logger.Error(err, "failed to unmmarshal resource") - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource } // JSON patches processed successfully - resp.Success = true + resp.Status = response.RuleStatusPass resp.Message = fmt.Sprintf("successfully process JSON patches") resp.Patches = patches return resp, patchedResource diff --git a/pkg/engine/mutate/patches_test.go b/pkg/engine/mutate/patches_test.go index 9107ae62c0..76f73d7ab8 100644 --- a/pkg/engine/mutate/patches_test.go +++ b/pkg/engine/mutate/patches_test.go @@ -1,6 +1,7 @@ package mutate import ( + "github.com/kyverno/kyverno/pkg/engine/response" "testing" "gotest.tools/assert" @@ -43,7 +44,7 @@ func TestProcessPatches_EmptyPatches(t *testing.T) { t.Error(err) } rr, _ := ProcessPatches(log.Log, "", emptyRule.Mutation, *resourceUnstructured) - assert.Check(t, rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusPass) assert.Assert(t, len(rr.Patches) == 0) } @@ -72,14 +73,14 @@ func makeRuleWithPatches(patches []types.Patch) types.Rule { func TestProcessPatches_EmptyDocument(t *testing.T) { rule := makeRuleWithPatch(makeAddIsMutatedLabelPatch()) rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, unstructured.Unstructured{}) - assert.Assert(t, !rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusFail) assert.Assert(t, len(rr.Patches) == 0) } func TestProcessPatches_AllEmpty(t *testing.T) { emptyRule := types.Rule{} rr, _ := ProcessPatches(log.Log, "", emptyRule.Mutation, unstructured.Unstructured{}) - assert.Check(t, !rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusFail) assert.Assert(t, len(rr.Patches) == 0) } @@ -92,7 +93,7 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) { t.Error(err) } rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, *resourceUnstructured) - assert.Check(t, !rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusFail) assert.Assert(t, len(rr.Patches) == 0) } @@ -104,7 +105,7 @@ func TestProcessPatches_RemovePathDoesntExist(t *testing.T) { t.Error(err) } rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, *resourceUnstructured) - assert.Check(t, rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusPass) assert.Assert(t, len(rr.Patches) == 0) } @@ -117,7 +118,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) { t.Error(err) } rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, *resourceUnstructured) - assert.Check(t, !rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusFail) assert.Assert(t, len(rr.Patches) == 0) } @@ -131,7 +132,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResul t.Error(err) } rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, *resourceUnstructured) - assert.Check(t, rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusPass) assert.Assert(t, len(rr.Patches) != 0) assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, rr.Patches[0]) } @@ -144,7 +145,7 @@ func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) { t.Error(err) } rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, *resourceUnstructured) - assert.Check(t, rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusPass) assert.Assert(t, len(rr.Patches) == 0) } @@ -157,7 +158,7 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) { t.Error(err) } rr, _ := ProcessPatches(log.Log, rule.Name, rule.Mutation, *resourceUnstructured) - assert.Check(t, rr.Success) + assert.Equal(t, rr.Status, response.RuleStatusPass) assert.Assert(t, len(rr.Patches) == 1) assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, rr.Patches[0]) } diff --git a/pkg/engine/mutate/strategicMergePatch.go b/pkg/engine/mutate/strategicMergePatch.go index 933c6db7b3..899961393d 100644 --- a/pkg/engine/mutate/strategicMergePatch.go +++ b/pkg/engine/mutate/strategicMergePatch.go @@ -31,7 +31,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u overlayBytes, err := json.Marshal(overlay) if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to process patchStrategicMerge: %v", err) return resp, resource @@ -39,7 +39,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u base, err := json.Marshal(resource.Object) if err != nil { - resp.Success = false + resp.Status = response.RuleStatusFail logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to process patchStrategicMerge: %v", err) return resp, resource @@ -48,7 +48,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u if err != nil { log.Error(err, "failed to apply patchStrategicMerge") msg := fmt.Sprintf("failed to apply patchStrategicMerge: %v", err) - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = msg return resp, resource } @@ -56,7 +56,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u err = patchedResource.UnmarshalJSON(patchedBytes) if err != nil { logger.Error(err, "failed to unmarshal resource") - resp.Success = false + resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to process patchStrategicMerge: %v", err) return resp, resource } @@ -66,7 +66,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u jsonPatches, err := generatePatches(base, patchedBytes) if err != nil { msg := fmt.Sprintf("failed to generated JSON patches from patched resource: %v", err.Error()) - resp.Success = false + resp.Status = response.RuleStatusFail log.Info(msg) resp.Message = msg return resp, patchedResource @@ -76,7 +76,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u log.V(5).Info("generated patch", "patch", string(p)) } - resp.Success = true + resp.Status = response.RuleStatusPass resp.Patches = jsonPatches resp.Message = "successfully processed strategic merge patch" return resp, patchedResource diff --git a/pkg/engine/mutate/strategicPreprocessing.go b/pkg/engine/mutate/strategicPreprocessing.go index abbec35142..3bd2d639da 100644 --- a/pkg/engine/mutate/strategicPreprocessing.go +++ b/pkg/engine/mutate/strategicPreprocessing.go @@ -335,8 +335,7 @@ func checkCondition(logger logr.Logger, pattern *yaml.RNode, resource *yaml.RNod return err } - _, err = validate.ValidateResourceWithPattern(logger, resourceInterface, patternInterface) - + err = validate.MatchPattern(logger, resourceInterface, patternInterface) return err } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 75a5a74ef4..b3e69d8606 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -75,13 +75,13 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { // Restore() is meant for restoring context loaded from external lookup (APIServer & ConfigMap) // while we need to keep updated resource in the JSON context as rules can be chained resource, err := policyContext.JSONContext.Query("request.object") - policyContext.JSONContext.Restore() + policyContext.JSONContext.Reset() if err == nil && resource != nil { if err := ctx.AddResourceAsObject(resource.(map[string]interface{})); err != nil { logger.WithName("RestoreContext").Error(err, "unable to update resource object") } } else { - logger.WithName("RestoreContext").Error(err, "failed to quey resource object") + logger.WithName("RestoreContext").Error(err, "failed to query resource object") } if err := LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil { @@ -118,7 +118,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { Name: ruleCopy.Name, Type: utils.Validation.String(), Message: fmt.Sprintf("variable substitution failed for rule %s: %s", ruleCopy.Name, err.Error()), - Success: true, + Status: response.RuleStatusPass, } incrementAppliedCount(resp) @@ -131,7 +131,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { mutation := ruleCopy.Mutation.DeepCopy() mutateHandler := mutate.CreateMutateHandler(ruleCopy.Name, mutation, patchedResource, ctx, logger) ruleResponse, patchedResource = mutateHandler.Handle() - if ruleResponse.Success { + if ruleResponse.Status == response.RuleStatusPass { // - overlay pattern does not match the resource conditions if ruleResponse.Patches == nil { continue diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index 96a5bc7c55..8a640e0291 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -54,28 +54,40 @@ func (rs ResourceSpec) GetKey() string { //PolicyStats stores statistics for the single policy application type PolicyStats struct { + // time required to process the policy rules on a resource ProcessingTime time.Duration `json:"processingTime"` + // Count of rules that were applied successfully RulesAppliedCount int `json:"rulesAppliedCount"` + + // Count of rules that with execution errors + RulesErrorCount int `json:"rulesErrorCount"` + // Timestamp of the instant the Policy was triggered PolicyExecutionTimestamp int64 `json:"policyExecutionTimestamp"` } //RuleResponse details for each rule application type RuleResponse struct { + // rule name specified in policy Name string `json:"name"` + // rule type (Mutation,Generation,Validation) for Kyverno Policy Type string `json:"type"` + // message response from the rule application Message string `json:"message"` + // JSON patches, for mutation rules Patches [][]byte `json:"patches,omitempty"` - // success/fail - Success bool `json:"success"` + + // rule status + Status RuleStatus `json:"status"` + // statistics - RuleStats `json:",inline"` + RuleStats `json:",inline"` } //ToString ... @@ -94,20 +106,22 @@ type RuleStats struct { //IsSuccessful checks if any rule has failed or not func (er EngineResponse) IsSuccessful() bool { for _, r := range er.PolicyResponse.Rules { - if !r.Success { + if r.Status != RuleStatusPass { return false } } + return true } //IsFailed checks if any rule has succeeded or not func (er EngineResponse) IsFailed() bool { for _, r := range er.PolicyResponse.Rules { - if r.Success { + if r.Status == RuleStatusPass { return false } } + return true } @@ -125,12 +139,12 @@ func (er EngineResponse) GetPatches() [][]byte { //GetFailedRules returns failed rules func (er EngineResponse) GetFailedRules() []string { - return er.getRules(false) + return er.getRules(RuleStatusFail) } //GetSuccessRules returns success rules func (er EngineResponse) GetSuccessRules() []string { - return er.getRules(true) + return er.getRules(RuleStatusPass) } // GetResourceSpec returns resourceSpec of er @@ -144,10 +158,10 @@ func (er EngineResponse) GetResourceSpec() ResourceSpec { } } -func (er EngineResponse) getRules(success bool) []string { +func (er EngineResponse) getRules(status RuleStatus) []string { var rules []string for _, r := range er.PolicyResponse.Rules { - if r.Success == success { + if r.Status == status { rules = append(rules, r.Name) } } diff --git a/pkg/engine/response/status.go b/pkg/engine/response/status.go new file mode 100644 index 0000000000..e782a98a92 --- /dev/null +++ b/pkg/engine/response/status.go @@ -0,0 +1,68 @@ +package response + +import ( + "encoding/json" + "fmt" + "strings" +) + +// RuleStatus represents the status of rule execution +type RuleStatus int + +const ( + // RuleStatusPass indicates that the policy rule requirements are met + RuleStatusPass RuleStatus = iota + // Fail indicates that the policy rule requirements are not met + RuleStatusFail + // Warn indicates that the policy rule requirements are not met, and the policy is not scored + RuleStatusWarn + // Error indicates that the policy rule could not be evaluated due to a processing error + RuleStatusError + // Skip indicates that the policy rule was not selected based on user inputs or applicability + RuleStatusSkip +) + +func (s RuleStatus) String() string { + return toString[s] +} + +var toString = map[RuleStatus]string{ + RuleStatusPass: "Pass", + RuleStatusFail: "Fail", + RuleStatusWarn: "Warning", + RuleStatusError: "Error", + RuleStatusSkip: "Skip", +} + +var toID = map[string]RuleStatus{ + "Pass": RuleStatusPass, + "Fail": RuleStatusFail, + "Warning": RuleStatusWarn, + "Error": RuleStatusError, + "Skip": RuleStatusSkip, +} + +// MarshalJSON marshals the enum as a quoted json string +func (s RuleStatus) MarshalJSON() ([]byte, error) { + var b strings.Builder + fmt.Fprintf(&b, "\"%s\"", toString[s]) + return []byte(b.String()), nil +} + +// UnmarshalJSON unmarshals a quoted json string to the enum value +func (s *RuleStatus) UnmarshalJSON(b []byte) error { + var j string + err := json.Unmarshal(b, &j) + if err != nil { + return err + } + + for k, v := range toID { + if j == k { + *s = v + return nil + } + } + + return fmt.Errorf("invalid status: %s", j) +} diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 8b7929be18..0e792ace04 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -392,7 +392,8 @@ func transformConditions(original apiextensions.JSON) (interface{}, error) { case []kyverno.Condition: // backwards compatibility return copyOldConditions(typedValue), nil } - return nil, fmt.Errorf("wrongfully configured data") + + return nil, fmt.Errorf("invalid preconditions") } // excludeResource checks if the resource has ownerRef set diff --git a/pkg/engine/validate/common.go b/pkg/engine/validate/common.go index 3009fc3fb7..ccb67eb25a 100644 --- a/pkg/engine/validate/common.go +++ b/pkg/engine/validate/common.go @@ -40,3 +40,12 @@ func getRawKeyIfWrappedWithAttributes(str string) string { return str } } + +type PatternError struct { + msg string + Path string +} + +func (p* PatternError) Error() string { + return p.msg +} diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index cd109500ba..a49dae9243 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -12,24 +12,27 @@ import ( "github.com/kyverno/kyverno/pkg/engine/wildcards" ) -// ValidateResourceWithPattern is a start of element-by-element validation process +// MatchPattern is a start of element-by-element pattern validation process. // It assumes that validation is started from root, so "/" is passed -func ValidateResourceWithPattern(logger logr.Logger, resource, pattern interface{}) (string, error) { +func MatchPattern(logger logr.Logger, resource, pattern interface{}) *PatternError { // newAnchorMap - to check anchor key has values ac := common.NewAnchorMap() elemPath, err := validateResourceElement(logger, resource, pattern, pattern, "/", ac) if err != nil { if common.IsConditionalAnchorError(err.Error()) || common.IsGlobalAnchorError(err.Error()) { logger.V(3).Info(ac.AnchorError.Message) - return "", nil + return &PatternError{ac.AnchorError.Message, ""} } - if !ac.IsAnchorError() { - return elemPath, err + if ac.IsAnchorError() { + logger.V(3).Info("missing anchor in resource") + return &PatternError{err.Error(), ""} } + + return &PatternError{err.Error(), elemPath} } - return "", nil + return nil } // validateResourceElement detects the element type (map, array, nil, string, int, bool, float) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 89baba0883..d2685ff28a 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1517,7 +1517,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { err = json.Unmarshal(testCase.resource, &resource) assert.NilError(t, err) - _, err = ValidateResourceWithPattern(log.Log, resource, pattern) + _, err = MatchPattern(log.Log, resource, pattern) if testCase.nilErr { assert.NilError(t, err, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\n", testCase.name, pattern, resource)) } else { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 88d68633b3..0fca50aa3e 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -1,7 +1,10 @@ package engine import ( + "encoding/json" "fmt" + "github.com/pkg/errors" + "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "reflect" "strings" "time" @@ -9,8 +12,6 @@ import ( "github.com/go-logr/logr" gojmespath "github.com/jmespath/go-jmespath" kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" - "github.com/kyverno/kyverno/pkg/engine/common" - "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/engine/validate" @@ -27,7 +28,7 @@ func Validate(policyContext *PolicyContext) (resp *response.EngineResponse) { logger := buildLogger(policyContext) logger.V(4).Info("start policy processing", "startTime", startTime) defer func() { - buildResponse(logger, policyContext, resp, startTime) + buildResponse(policyContext, resp, startTime) logger.V(4).Info("finished policy processing", "processingTime", resp.PolicyResponse.ProcessingTime.String(), "validationRulesApplied", resp.PolicyResponse.RulesAppliedCount) }() @@ -46,14 +47,14 @@ func buildLogger(ctx *PolicyContext) logr.Logger { return logger } -func buildResponse(logger logr.Logger, ctx *PolicyContext, resp *response.EngineResponse, startTime time.Time) { +func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime time.Time) { if reflect.DeepEqual(resp, response.EngineResponse{}) { return } if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) { // for delete requests patched resource will be oldResource since newResource is empty - var resource unstructured.Unstructured = ctx.NewResource + var resource = ctx.NewResource if reflect.DeepEqual(ctx.NewResource, unstructured.Unstructured{}) { resource = ctx.OldResource } @@ -76,10 +77,14 @@ func incrementAppliedCount(resp *response.EngineResponse) { resp.PolicyResponse.RulesAppliedCount++ } +func incrementErrorCount(resp *response.EngineResponse) { + resp.PolicyResponse.RulesErrorCount++ +} + func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineResponse { resp := &response.EngineResponse{} if ManagedPodResource(ctx.Policy, ctx.NewResource) { - log.V(5).Info("skip policy as direct changes to pods managed by workload controllers are not allowed", "policy", ctx.Policy.GetName()) + log.V(5).Info("skip validation of pods managed by workload controllers", "policy", ctx.Policy.GetName()) return resp } @@ -87,113 +92,275 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo defer ctx.JSONContext.Restore() for _, rule := range ctx.Policy.Spec.Rules { - var err error - if !rule.HasValidate() { continue } log = log.WithValues("rule", rule.Name) - if !matches(log, rule, ctx) { continue } - ctx.JSONContext.Restore() - if err := LoadContext(log, rule.Context, ctx.ResourceCache, ctx, rule.Name); err != nil { - if _, ok := err.(gojmespath.NotFoundError); ok { - log.V(3).Info("failed to load context", "reason", err.Error()) - } else { - log.Error(err, "failed to load context") - } - continue - } - log.V(3).Info("matched validate rule") + ctx.JSONContext.Reset() + startTime := time.Now() - ruleCopy := rule.DeepCopy() - ruleCopy.AnyAllConditions, err = variables.SubstituteAllInPreconditions(log, ctx.JSONContext, ruleCopy.AnyAllConditions) - if err != nil { - log.V(4).Info("failed to substitute vars in preconditions, skip current rule", "rule name", rule.Name) - return nil - } - - preconditions, err := transformConditions(ruleCopy.AnyAllConditions) - if err != nil { - log.V(2).Info("wrongfully configured data", "reason", err.Error()) - continue - } - - // evaluate pre-conditions - if !variables.EvaluateConditions(log, ctx.JSONContext, preconditions) { - log.V(4).Info("resource fails the preconditions") - continue - } - - if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil { - if *ruleCopy, err = substituteAll(log, ctx, *ruleCopy, resp); err != nil { - continue - } - - ruleResponse := validateResourceWithRule(log, ctx, *ruleCopy) - if ruleResponse != nil { - if !common.IsConditionalAnchorError(ruleResponse.Message) { - incrementAppliedCount(resp) - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResponse) - } - } - } else if rule.Validation.Deny != nil { - ruleCopy.Validation.Deny.AnyAllConditions, err = variables.SubstituteAllInPreconditions(log, ctx.JSONContext, ruleCopy.Validation.Deny.AnyAllConditions) - if err != nil { - log.V(4).Info("failed to substitute vars in preconditions, skip current rule", "rule name", rule.Name) - continue - } - - if *ruleCopy, err = substituteAll(log, ctx, *ruleCopy, resp); err != nil { - continue - } - - denyConditions, err := transformConditions(ruleCopy.Validation.Deny.AnyAllConditions) - if err != nil { - log.V(2).Info("wrongfully configured data", "reason", err.Error()) - continue - } - - deny := variables.EvaluateConditions(log, ctx.JSONContext, denyConditions) - ruleResp := response.RuleResponse{ - Name: ruleCopy.Name, - Type: utils.Validation.String(), - Message: ruleCopy.Validation.Message, - Success: !deny, - } - - incrementAppliedCount(resp) - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp) + ruleResp := processValidationRule(log, ctx, &rule) + if ruleResp != nil { + addRuleResponse(log, resp, ruleResp, startTime) } } return resp } -func validateResourceWithRule(log logr.Logger, ctx *PolicyContext, rule kyverno.Rule) (resp *response.RuleResponse) { - if reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) { - resp := validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule) - return &resp +func processValidationRule(log logr.Logger, ctx *PolicyContext, rule *kyverno.Rule) *response.RuleResponse { + if rule.Validation.ForEachValidation != nil { + v := newValidator(log, ctx, rule) + return v.validateForEach() } - if reflect.DeepEqual(ctx.NewResource, unstructured.Unstructured{}) { - log.V(3).Info("skipping validation on deleted resource") + v := newValidator(log, ctx, rule) + return v.validate() +} + +func addRuleResponse(log logr.Logger, resp *response.EngineResponse, ruleResp *response.RuleResponse, startTime time.Time) { + ruleResp.RuleStats.ProcessingTime = time.Since(startTime) + ruleResp.RuleStats.RuleExecutionTimestamp = startTime.Unix() + log.V(4).Info("finished processing rule", "processingTime", ruleResp.RuleStats.ProcessingTime.String()) + + if ruleResp.Status == response.RuleStatusPass || ruleResp.Status == response.RuleStatusFail { + incrementAppliedCount(resp) + } else if ruleResp.Status == response.RuleStatusError { + incrementErrorCount(resp) + } + + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp) +} + +type validator struct { + log logr.Logger + ctx *PolicyContext + rule *kyverno.Rule + contextEntries []kyverno.ContextEntry + anyAllConditions apiextensions.JSON + pattern apiextensions.JSON + anyPattern apiextensions.JSON + deny *kyverno.Deny +} + +func newValidator(log logr.Logger, ctx *PolicyContext, rule *kyverno.Rule) *validator { + ruleCopy := rule.DeepCopy() + return &validator{ + log: log, + rule: ruleCopy, + ctx: ctx, + contextEntries: ruleCopy.Context, + anyAllConditions: ruleCopy.AnyAllConditions, + pattern: ruleCopy.Validation.Pattern, + anyPattern: ruleCopy.Validation.AnyPattern, + deny: ruleCopy.Validation.Deny, + } +} + +func newForeachValidator(log logr.Logger, ctx *PolicyContext, rule *kyverno.Rule) *validator { + ruleCopy := rule.DeepCopy() + return &validator{ + log: log, + ctx: ctx, + rule: ruleCopy, + contextEntries: ruleCopy.Validation.ForEachValidation.Context, + anyAllConditions: ruleCopy.Validation.ForEachValidation.AnyAllConditions, + pattern: ruleCopy.Validation.ForEachValidation.Pattern, + anyPattern: ruleCopy.Validation.ForEachValidation.AnyPattern, + deny: ruleCopy.Validation.ForEachValidation.Deny, + } +} + +func (v *validator) validate() *response.RuleResponse { + if err := v.loadContext(); err != nil { + return ruleError(v.rule, "failed to load context", err) + } + + preconditionsPassed, err := v.checkPreconditions() + if err != nil { + return ruleError(v.rule, "failed to evaluate preconditions", err) + } else if !preconditionsPassed { + return ruleResponse(v.rule, "", response.RuleStatusSkip) + } + + if v.rule.Validation.Pattern != nil || v.rule.Validation.AnyPattern != nil { + if err = v.substitutePatterns(); err != nil { + return ruleError(v.rule, "variable substitution failed", err) + } + + ruleResponse := v.validateResourceWithRule() + return ruleResponse + + } else if v.rule.Validation.Deny != nil { + ruleResponse := v.validateDeny() + return ruleResponse + } + + v.log.Info("invalid validation rule: either patterns or deny conditions are expected") + return nil +} + +func (v *validator) validateForEach() *response.RuleResponse { + if err := v.loadContext(); err != nil { + return ruleError(v.rule, "failed to load context", err) + } + + preconditionsPassed, err := v.checkPreconditions() + if err != nil { + return ruleError(v.rule, "failed to evaluate preconditions", err) + } else if !preconditionsPassed { + return ruleResponse(v.rule, "", response.RuleStatusSkip) + } + + foreach := v.rule.Validation.ForEachValidation + if foreach == nil { return nil } - oldResp := validatePatterns(log, ctx.JSONContext, ctx.OldResource, rule) - newResp := validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule) + elements, err := v.evaluateList(foreach.List) + if err != nil { + msg := fmt.Sprintf("failed to evaluate list %s", foreach.List) + return ruleError(v.rule, msg, err) + } + + v.ctx.JSONContext.Checkpoint() + defer v.ctx.JSONContext.Restore() + + for _, e := range elements { + v.ctx.JSONContext.Reset() + + elementData := make(map[string]interface{}) + elementData["element"] = e + jsonData, err := json.Marshal(elementData) + if err != nil { + return ruleError(v.rule, fmt.Sprintf("failed to marshall element %v", e), err) + } + + if err := v.ctx.JSONContext.AddJSON(jsonData); err != nil { + return ruleError(v.rule, fmt.Sprintf("failed add element (%s) to context", string(jsonData)), err) + } + + foreachValidator := newForeachValidator(v.log, v.ctx, v.rule) + r := foreachValidator.validate() + if r.Status != response.RuleStatusPass { + + } + } + + return ruleResponse(v.rule, "", response.RuleStatusPass) +} + +func (v *validator) evaluateList(jmesPath string) ([]interface{}, error) { + i, err := v.ctx.JSONContext.Query(jmesPath) + if err != nil { + return nil, err + } + + l, ok := i.([]interface{}) + if !ok { + return []interface{}{i}, nil + } + + return l, nil +} + + +func (v *validator) loadContext() error { + if err := LoadContext(v.log, v.contextEntries, v.ctx.ResourceCache, v.ctx, v.rule.Name); err != nil { + if _, ok := err.(gojmespath.NotFoundError); ok { + v.log.V(3).Info("failed to load context", "reason", err.Error()) + } else { + v.log.Error(err, "failed to load context") + } + + return err + } + + return nil +} + +func (v *validator) checkPreconditions() (bool, error) { + preconditions, err := variables.SubstituteAllInPreconditions(v.log, v.ctx.JSONContext, v.anyAllConditions) + if err != nil { + return false, errors.Wrapf(err, "failed to substitute variables in preconditions") + } + + typeConditions, err := transformConditions(preconditions) + if err != nil { + return false, errors.Wrapf(err, "failed to parse preconditions") + } + + pass := variables.EvaluateConditions(v.log, v.ctx.JSONContext, typeConditions) + return pass, nil +} + +func (v *validator) validateDeny() *response.RuleResponse { + anyAllCond := v.deny.AnyAllConditions + anyAllCond, err := variables.SubstituteAllInPreconditions(v.log, v.ctx.JSONContext, anyAllCond) + if err != nil { + return ruleError(v.rule, "failed to substitute variables in preconditions", err) + } + + if err = v.substituteDeny(); err != nil { + return ruleError(v.rule, "failed to substitute variables in rule", err) + } + + denyConditions, err := transformConditions(anyAllCond) + if err != nil { + return ruleError(v.rule, "invalid deny conditions", err) + } + + deny := variables.EvaluateConditions(v.log, v.ctx.JSONContext, denyConditions) + if deny { + return ruleResponse(v.rule, v.getDenyMessage(deny), response.RuleStatusFail) + } + + return ruleResponse(v.rule, v.getDenyMessage(deny), response.RuleStatusPass) +} + +func (v *validator) getDenyMessage(deny bool) string { + if !deny { + return fmt.Sprintf("validation rule '%s' passed.", v.rule.Name) + } + + msg := v.rule.Validation.Message + if msg == "" { + return fmt.Sprintf("validation error: rule %s failed", v.rule.Name) + } + + raw, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, msg) + if err != nil { + return msg + } + + return raw.(string) +} + +func (v *validator) validateResourceWithRule() *response.RuleResponse { + if reflect.DeepEqual(v.ctx.OldResource, unstructured.Unstructured{}) { + resp := v.validatePatterns(v.ctx.NewResource) + return resp + } + + if reflect.DeepEqual(v.ctx.NewResource, unstructured.Unstructured{}) { + v.log.V(3).Info("skipping validation on deleted resource") + return nil + } + + oldResp := v.validatePatterns(v.ctx.OldResource) + newResp := v.validatePatterns(v.ctx.NewResource) if isSameRuleResponse(oldResp, newResp) { - log.V(3).Info("skipping modified resource as validation results have not changed") + v.log.V(3).Info("skipping modified resource as validation results have not changed") return nil } - return &newResp + return newResp } // matches checks if either the new or old resource satisfies the filter conditions defined in the rule @@ -214,7 +381,7 @@ func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool { return false } -func isSameRuleResponse(r1 response.RuleResponse, r2 response.RuleResponse) bool { +func isSameRuleResponse(r1 *response.RuleResponse, r2 *response.RuleResponse) bool { if r1.Name != r2.Name { return false } @@ -227,7 +394,7 @@ func isSameRuleResponse(r1 response.RuleResponse, r2 response.RuleResponse) bool return false } - if r1.Success != r2.Success { + if r1.Status != r2.Status { return false } @@ -235,57 +402,47 @@ func isSameRuleResponse(r1 response.RuleResponse, r2 response.RuleResponse) bool } // validatePatterns validate pattern and anyPattern -func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) { - startTime := time.Now() - logger := log.WithValues("rule", rule.Name, "name", resource.GetName(), "kind", resource.GetKind()) - logger.V(5).Info("start processing rule", "startTime", startTime) - resp.Name = rule.Name - resp.Type = utils.Validation.String() - defer func() { - resp.RuleStats.ProcessingTime = time.Since(startTime) - resp.RuleStats.RuleExecutionTimestamp = startTime.Unix() - logger.V(4).Info("finished processing rule", "processingTime", resp.RuleStats.ProcessingTime.String()) - }() +func (v *validator) validatePatterns(resource unstructured.Unstructured) *response.RuleResponse { + if v.pattern != nil { + if err := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { + v.log.V(3).Info("validation error", "path", err.Path, "error", err.Error()) + if err.Path == "" { + return ruleResponse(v.rule, v.buildErrorMessage(err, ""), response.RuleStatusError) + } - validationRule := rule.Validation.DeepCopy() - if validationRule.Pattern != nil { - pattern := validationRule.Pattern - - if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil { - logger.V(3).Info("validation failed", "path", path, "error", err.Error()) - resp.Success = false - resp.Message = buildErrorMessage(rule, path) - return resp + return ruleResponse(v.rule, v.buildErrorMessage(err, err.Path), response.RuleStatusFail) } - logger.V(4).Info("successfully processed rule") - resp.Success = true - resp.Message = fmt.Sprintf("validation rule '%s' passed.", rule.Name) - return resp + v.log.V(4).Info("successfully processed rule") + msg := fmt.Sprintf("validation rule '%s' passed.", v.rule.Name) + return ruleResponse(v.rule, msg, response.RuleStatusPass) } - if validationRule.AnyPattern != nil { + if v.anyPattern != nil { var failedAnyPatternsErrors []error var err error - anyPatterns, err := rule.Validation.DeserializeAnyPattern() + anyPatterns, err := deserializeAnyPattern(v.anyPattern) if err != nil { - resp.Success = false - resp.Message = fmt.Sprintf("failed to deserialize anyPattern, expected type array: %v", err) - return resp + msg := fmt.Sprintf("failed to deserialize anyPattern, expected type array: %v", err) + return ruleResponse(v.rule, msg, response.RuleStatusError) } for idx, pattern := range anyPatterns { - path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern) + err := validate.MatchPattern(v.log, resource.Object, pattern) if err == nil { - resp.Success = true - resp.Message = fmt.Sprintf("validation rule '%s' anyPattern[%d] passed.", rule.Name, idx) - return resp + msg := fmt.Sprintf("validation rule '%s' anyPattern[%d] passed.", v.rule.Name, idx) + return ruleResponse(v.rule, msg, response.RuleStatusPass) } - logger.V(4).Info("validation rule failed", "anyPattern[%d]", idx, "path", path) - patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", rule.Name, idx, path) - failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) + v.log.V(3).Info("validation rule failed", "anyPattern[%d]", idx, "path", err.Path) + if err.Path == "" { + patternErr := fmt.Errorf("Rule %s[%d] failed: %s.", v.rule.Name, idx, err.Error()) + failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) + } else { + patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", v.rule.Name, idx, err.Path) + failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) + } } // Any Pattern validation errors @@ -295,30 +452,60 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr errorStr = append(errorStr, err.Error()) } - log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr)) - - resp.Success = false - resp.Message = buildAnyPatternErrorMessage(rule, errorStr) - return resp + v.log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", v.rule.Name, errorStr)) + msg := buildAnyPatternErrorMessage(v.rule, errorStr) + return ruleResponse(v.rule, msg, response.RuleStatusFail) } } - return resp + return ruleResponse(v.rule, v.rule.Validation.Message, response.RuleStatusPass) } -func buildErrorMessage(rule kyverno.Rule, path string) string { - if rule.Validation.Message == "" { - return fmt.Sprintf("validation error: rule %s failed at path %s", rule.Name, path) +func deserializeAnyPattern(anyPattern apiextensions.JSON ) ([]interface{}, error) { + if anyPattern == nil { + return nil, nil } - if strings.HasSuffix(rule.Validation.Message, ".") { - return fmt.Sprintf("validation error: %s Rule %s failed at path %s", rule.Validation.Message, rule.Name, path) + ap, err := json.Marshal(anyPattern) + if err != nil { + return nil, err } - return fmt.Sprintf("validation error: %s. Rule %s failed at path %s", rule.Validation.Message, rule.Name, path) + var res []interface{} + if err := json.Unmarshal(ap, &res); err != nil { + return nil, err + } + + return res, nil } -func buildAnyPatternErrorMessage(rule kyverno.Rule, errors []string) string { +func (v *validator) buildErrorMessage(err error, path string) string { + if v.rule.Validation.Message == "" { + if path != "" { + return fmt.Sprintf("validation error: rule %s failed at path %s", v.rule.Name, path) + } + + return fmt.Sprintf("validation error: rule %s execution error: %s", v.rule.Name, err.Error()) + } + + msgRaw, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.rule.Validation.Message) + if err != nil { + v.log.Info("failed to substitute variables in message: %v", err) + } + + msg := msgRaw.(string) + if !strings.HasSuffix(msg, ".") { + msg = msg + "." + } + + if path != "" { + return fmt.Sprintf("validation error: %s Rule %s failed at path %s", msg, v.rule.Name, path) + } + + return fmt.Sprintf("validation error: %s Rule %s execution error: %s", msg, v.rule.Name, err.Error()) +} + +func buildAnyPatternErrorMessage(rule *kyverno.Rule, errors []string) string { errStr := strings.Join(errors, " ") if rule.Validation.Message == "" { return fmt.Sprintf("validation error: %s", errStr) @@ -331,28 +518,54 @@ func buildAnyPatternErrorMessage(rule kyverno.Rule, errors []string) string { return fmt.Sprintf("validation error: %s. %s", rule.Validation.Message, errStr) } -func substituteAll(log logr.Logger, ctx *PolicyContext, rule kyverno.Rule, resp *response.EngineResponse) (kyverno.Rule, error) { - var err error - if rule, err = variables.SubstituteAllInRule(log, ctx.JSONContext, rule); err != nil { - ruleResp := response.RuleResponse{ - Name: rule.Name, - Type: utils.Validation.String(), - Message: fmt.Sprintf("variable substitution failed for rule %s: %s", rule.Name, err.Error()), - Success: true, +func (v *validator) substitutePatterns() error { + if v.pattern != nil { + i, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.pattern) + if err != nil { + return err } - incrementAppliedCount(resp) - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp) - - switch err.(type) { - case gojmespath.NotFoundError: - log.V(2).Info("failed to substitute variables, skip current rule", "info", err.Error(), "rule name", rule.Name) - default: - log.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name) - } - - return rule, err + v.pattern = i.(apiextensions.JSON) + return nil } - return rule, nil + if v.anyPattern != nil { + i, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.anyPattern) + if err != nil { + return err + } + + v.anyPattern = i.(apiextensions.JSON) + return nil + } + + return nil } + +func (v *validator) substituteDeny() error { + if v.deny == nil { + return nil + } + + i, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.deny) + if err != nil { + return err + } + + v.deny = i.(*kyverno.Deny) + return nil +} + +func ruleError(rule *kyverno.Rule, msg string, err error) *response.RuleResponse { + msg = fmt.Sprintf("%s for rule %s: %s", msg, rule.Name, err.Error()) + return ruleResponse(rule, msg, response.RuleStatusError) +} + +func ruleResponse(rule *kyverno.Rule, msg string, status response.RuleStatus) *response.RuleResponse { + return &response.RuleResponse{ + Name: rule.Name, + Type: utils.Validation.String(), + Message: msg, + Status: status, + } +} \ No newline at end of file diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index c3a49c176b..9395052b08 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -2,6 +2,7 @@ package engine import ( "encoding/json" + "github.com/kyverno/kyverno/pkg/engine/response" "testing" kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" @@ -127,10 +128,12 @@ func TestValidate_image_tag_fail(t *testing.T) { "validation rule 'validate-tag' passed.", "validation error: imagePullPolicy 'Always' required with tag 'latest'. Rule validate-latest failed at path /spec/containers/0/imagePullPolicy/", } + er := Validate(&PolicyContext{Policy: policy, NewResource: *resourceUnstructured, JSONContext: context.NewContext()}) for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) } + assert.Assert(t, !er.IsSuccessful()) } @@ -1474,7 +1477,7 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) { JSONContext: ctx, NewResource: *resourceUnstructured} er := Validate(policyContext) - assert.Assert(t, er.PolicyResponse.Rules[0].Success) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusError) assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path") } @@ -1566,7 +1569,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSu JSONContext: ctx, NewResource: *resourceUnstructured} er := Validate(policyContext) - assert.Assert(t, er.PolicyResponse.Rules[0].Success) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusError) assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path") } @@ -1625,7 +1628,7 @@ func Test_VariableSubstitution_NotOperatorWithStringVariable(t *testing.T) { JSONContext: ctx, NewResource: *resourceUnstructured} er := Validate(policyContext) - assert.Assert(t, !er.PolicyResponse.Rules[0].Success) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusFail) assert.Equal(t, er.PolicyResponse.Rules[0].Message, "validation error: rule not-operator-with-variable-should-alway-fail-validation failed at path /spec/content/") } @@ -1716,7 +1719,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test JSONContext: ctx, NewResource: *resourceUnstructured} er := Validate(policyContext) - assert.Assert(t, er.PolicyResponse.Rules[0].Success) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusError) assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path") } @@ -1808,7 +1811,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter NewResource: *resourceUnstructured} er := Validate(policyContext) - assert.Assert(t, !er.PolicyResponse.Rules[0].Success) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusFail) assert.Equal(t, er.PolicyResponse.Rules[0].Message, "validation error: Rule test-path-not-exist[0] failed at path /spec/template/spec/containers/0/name/. Rule test-path-not-exist[1] failed at path /spec/template/spec/containers/0/name/.") } @@ -1912,7 +1915,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. JSONContext: ctx, NewResource: *resourceUnstructured} er := Validate(policyContext) - assert.Assert(t, !er.PolicyResponse.Rules[0].Success) + assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusFail) assert.Equal(t, er.PolicyResponse.Rules[0].Message, "The animal cow is not in the allowed list of animals.") } @@ -1921,32 +1924,32 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { name string policyRaw []byte resourceRaw []byte - expectedResult bool - expectedMessage string + expectedResults []response.RuleStatus + expectedMessages []string }{ { name: "path-not-present", policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path not present resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team"},"prune":true,"validation":"client"}}`), - expectedResult: false, - expectedMessage: "spec.sourceRef.namespace must be the same as metadata.namespace", + expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusFail}, + expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "spec.sourceRef.namespace must be the same as metadata.namespace"}, }, { name: "resource-with-violation", policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace {{request.object.spec.sourceRef.namespace}} must be the same as metadata.namespace {{request.object.metadata.namespace}}","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path present with different value resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"default"},"prune":true,"validation":"client"}}`), - expectedResult: false, - expectedMessage: "spec.sourceRef.namespace default must be the same as metadata.namespace apps", + expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusFail}, + expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "spec.sourceRef.namespace default must be the same as metadata.namespace apps"}, }, { name: "resource-comply", policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path present with same value - validate passes resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"apps"},"prune":true,"validation":"client"}}`), - expectedResult: true, - expectedMessage: "spec.sourceRef.namespace must be the same as metadata.namespace", + expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusPass}, + expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "validation rule 'sourceRefNamespace' passed."}, }, } @@ -1967,10 +1970,8 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { er := Validate(policyContext) for i, rule := range er.PolicyResponse.Rules { - if rule.Name == "sourceRefNamespace" { - assert.Equal(t, er.PolicyResponse.Rules[i].Success, test.expectedResult) - assert.Equal(t, er.PolicyResponse.Rules[i].Message, test.expectedMessage, "\ntest %s failed\nexpected: %s\nactual: %s", test.name, test.expectedMessage, rule.Message) - } + assert.Equal(t, er.PolicyResponse.Rules[i].Status, test.expectedResults[i]) + assert.Equal(t, er.PolicyResponse.Rules[i].Message, test.expectedMessages[i], "\ntest %s failed\nexpected: %s\nactual: %s", test.name, test.expectedMessages[i], rule.Message) } } } diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index b3ef7da034..ec3e21d699 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -38,22 +38,13 @@ func ReplaceAllVars(src string, repl func(string) string) string { return RegexVariables.ReplaceAllStringFunc(src, repl) } -func SubstituteAll(log logr.Logger, ctx context.EvalInterface, document interface{}) (_ interface{}, err error) { - document, err = substituteReferences(log, document) - if err != nil { - return kyverno.Rule{}, err - } - - return substituteVars(log, ctx, document, DefaultVariableResolver) -} - func newPreconditionsVariableResolver(log logr.Logger) VariableResolver { // PreconditionsVariableResolver is used to substitute vars in preconditions. - // It returns empty string if error occured during substitution + // It returns an empty string if an error occurs during the substitution. return func(ctx context.EvalInterface, variable string) (interface{}, error) { value, err := DefaultVariableResolver(ctx, variable) if err != nil { - log.V(4).Info(fmt.Sprintf("Variable \"%s\" is not resolved in preconditions. Considering it as an empty string", variable)) + log.V(4).Info(fmt.Sprintf("using empty string for unresolved variable \"%s\" in preconditions", variable)) return "", nil } @@ -61,13 +52,66 @@ func newPreconditionsVariableResolver(log logr.Logger) VariableResolver { } } +func SubstituteAll(log logr.Logger, ctx context.EvalInterface, document interface{}) (_ interface{}, err error) { + return substituteAll(log, ctx, document, DefaultVariableResolver) +} + func SubstituteAllInPreconditions(log logr.Logger, ctx context.EvalInterface, document interface{}) (_ interface{}, err error) { + return substituteAll(log, ctx, document, newPreconditionsVariableResolver(log)) +} + +func SubstituteAllInRule(log logr.Logger, ctx context.EvalInterface, typedRule kyverno.Rule) (_ kyverno.Rule, err error) { + var rule interface{} + rule, err = RuleToUntyped(typedRule) + if err != nil { + return typedRule, err + } + + rule, err = SubstituteAll(log, ctx, rule) + if err != nil { + return typedRule, err + } + + return UntypedToRule(rule) +} + +func RuleToUntyped(rule kyverno.Rule) (interface{}, error) { + jsonRule, err := json.Marshal(rule) + if err != nil { + return nil, err + } + + var untyped interface{} + err = json.Unmarshal(jsonRule, &untyped) + if err != nil { + return nil, err + } + + return untyped, nil +} + +func UntypedToRule(untyped interface{}) (kyverno.Rule, error) { + jsonRule, err := json.Marshal(untyped) + if err != nil { + return kyverno.Rule{}, err + } + + var rule kyverno.Rule + err = json.Unmarshal(jsonRule, &rule) + if err != nil { + return kyverno.Rule{}, err + } + + return rule, nil +} + +func substituteAll(log logr.Logger, ctx context.EvalInterface, document interface{}, resolver VariableResolver) (_ interface{}, err error) { document, err = substituteReferences(log, document) if err != nil { return kyverno.Rule{}, err } - return substituteVars(log, ctx, document, newPreconditionsVariableResolver(log)) + return substituteVars(log, ctx, document, resolver) } func SubstituteAllForceMutate(log logr.Logger, ctx context.EvalInterface, typedRule kyverno.Rule) (_ kyverno.Rule, err error) { @@ -373,57 +417,6 @@ func getValueFromReference(fullDocument interface{}, path string) (interface{}, return element, nil } -func SubstituteAllInRule(log logr.Logger, ctx context.EvalInterface, typedRule kyverno.Rule) (_ kyverno.Rule, err error) { - var rule interface{} - - rule, err = RuleToUntyped(typedRule) - if err != nil { - return typedRule, err - } - - rule, err = substituteReferences(log, rule) - if err != nil { - return typedRule, err - } - - rule, err = substituteVars(log, ctx, rule, DefaultVariableResolver) - if err != nil { - return typedRule, err - } - - return UntypedToRule(rule) -} - -func RuleToUntyped(rule kyverno.Rule) (interface{}, error) { - jsonRule, err := json.Marshal(rule) - if err != nil { - return nil, err - } - - var untyped interface{} - err = json.Unmarshal(jsonRule, &untyped) - if err != nil { - return nil, err - } - - return untyped, nil -} - -func UntypedToRule(untyped interface{}) (kyverno.Rule, error) { - jsonRule, err := json.Marshal(untyped) - if err != nil { - return kyverno.Rule{}, err - } - - var rule kyverno.Rule - err = json.Unmarshal(jsonRule, &rule) - if err != nil { - return kyverno.Rule{}, err - } - - return rule, nil -} - func replaceSubstituteVariables(document interface{}) interface{} { rawDocument, err := json.Marshal(document) if err != nil { diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index bae06323e3..581e87c0bc 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "fmt" + "github.com/kyverno/kyverno/pkg/engine/response" "reflect" "strings" "time" @@ -149,7 +150,7 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern var applicableRules []string // Removing GR if rule is failed. Used when the generate condition failed but gr exist for _, r := range engineResponse.PolicyResponse.Rules { - if !r.Success { + if r.Status != response.RuleStatusPass { logger.V(4).Info("querying all generate requests") selector := labels.SelectorFromSet(labels.Set(map[string]string{ "generate.kyverno.io/policy-name": engineResponse.PolicyResponse.Policy.Name, diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index cd284c21bb..d997f43067 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -764,7 +764,7 @@ func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *r Message: valResponseRule.Message, } - if valResponseRule.Success { + if valResponseRule.Status == response.RuleStatusPass { rc.Pass++ vrule.Check = report.StatusPass } else { @@ -819,7 +819,7 @@ func processGenerateEngineResponse(policy *v1.ClusterPolicy, generateResponse *r for i, genResponseRule := range generateResponse.PolicyResponse.Rules { if policyRule.Name == genResponseRule.Name { ruleFoundInEngineResponse = true - if genResponseRule.Success { + if genResponseRule.Status == response.RuleStatusPass { rc.Pass++ } else { if printCount < 1 { @@ -890,7 +890,7 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo for i, mutateResponseRule := range mutateResponse.PolicyResponse.Rules { if policyRule.Name == mutateResponseRule.Name { ruleFoundInEngineResponse = true - if mutateResponseRule.Success { + if mutateResponseRule.Status == response.RuleStatusPass { rc.Pass++ printMutatedRes = true } else { diff --git a/pkg/metrics/policyexecutionduration/policyExecutionDuration.go b/pkg/metrics/policyexecutionduration/policyExecutionDuration.go index cd73be7e13..fed8507617 100644 --- a/pkg/metrics/policyexecutionduration/policyExecutionDuration.go +++ b/pkg/metrics/policyexecutionduration/policyExecutionDuration.go @@ -84,7 +84,7 @@ func (pc PromConfig) ProcessEngineResponse(policy kyverno.ClusterPolicy, engineR ruleName := rule.Name ruleType := ParseRuleTypeFromEngineRuleResponse(rule) ruleResult := metrics.Fail - if rule.Success { + if rule.Status == response.RuleStatusPass { ruleResult = metrics.Pass } diff --git a/pkg/metrics/policyresults/policyResults.go b/pkg/metrics/policyresults/policyResults.go index 5056d31de2..d8dab4bc69 100644 --- a/pkg/metrics/policyresults/policyResults.go +++ b/pkg/metrics/policyresults/policyResults.go @@ -77,7 +77,7 @@ func (pc PromConfig) ProcessEngineResponse(policy kyverno.ClusterPolicy, engineR ruleName := rule.Name ruleType := ParseRuleTypeFromEngineRuleResponse(rule) ruleResult := metrics.Fail - if rule.Success { + if rule.Status == response.RuleStatusPass { ruleResult = metrics.Pass } diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go index f39a4eb7c5..21583be815 100644 --- a/pkg/policy/apply.go +++ b/pkg/policy/apply.go @@ -128,7 +128,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse if !jsonpatch.Equal(patchedResource, rawResource) { log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name) - engineResponse.PolicyResponse.Rules[index].Success = false + engineResponse.PolicyResponse.Rules[index].Status = response.RuleStatusFail engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(patches, log)) } } diff --git a/pkg/policy/report.go b/pkg/policy/report.go index 98a046c794..6dd9600de5 100644 --- a/pkg/policy/report.go +++ b/pkg/policy/report.go @@ -208,7 +208,7 @@ func generateFailEventsPerEr(log logr.Logger, er *response.EngineResponse) []eve logger.V(4).Info("reporting fail results for policy") for _, rule := range er.PolicyResponse.Rules { - if rule.Success { + if rule.Status != response.RuleStatusPass { continue } // generate event on resource for each failed rule diff --git a/pkg/policyreport/builder.go b/pkg/policyreport/builder.go index aff8c5bcf7..0f11bde80e 100755 --- a/pkg/policyreport/builder.go +++ b/pkg/policyreport/builder.go @@ -259,7 +259,7 @@ func buildViolatedRules(er *response.EngineResponse) []kyverno.ViolatedRule { Message: rule.Message, } vrule.Check = report.StatusFail - if rule.Success { + if rule.Status == response.RuleStatusPass { vrule.Check = report.StatusPass } violatedRules = append(violatedRules, vrule) diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go index cd43347aae..a0500bf442 100644 --- a/pkg/testrunner/scenario.go +++ b/pkg/testrunner/scenario.go @@ -310,8 +310,8 @@ func compareRules(t *testing.T, rule response.RuleResponse, expectedRule respons // } // success - if rule.Success != expectedRule.Success { - t.Errorf("rule success: expected %t, received %t", expectedRule.Success, rule.Success) + if rule.Status != expectedRule.Status { + t.Errorf("rule success: expected %v, received %v", expectedRule.Status, rule.Status) } } diff --git a/pkg/webhooks/annotations_test.go b/pkg/webhooks/annotations_test.go index bea97d8f10..68bbb9748d 100644 --- a/pkg/webhooks/annotations_test.go +++ b/pkg/webhooks/annotations_test.go @@ -9,7 +9,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" ) -func newPolicyResponse(policy, rule string, patchesStr []string, success bool) response.PolicyResponse { +func newPolicyResponse(policy, rule string, patchesStr []string, status response.RuleStatus) response.PolicyResponse { var patches [][]byte for _, p := range patchesStr { patches = append(patches, []byte(p)) @@ -21,12 +21,13 @@ func newPolicyResponse(policy, rule string, patchesStr []string, success bool) r { Name: rule, Patches: patches, - Success: success}, + Status: status, + }, }, } } -func newEngineResponse(policy, rule string, patchesStr []string, success bool, annotation map[string]string) *response.EngineResponse { +func newEngineResponse(policy, rule string, patchesStr []string, status response.RuleStatus, annotation map[string]string) *response.EngineResponse { return &response.EngineResponse{ PatchedResource: unstructured.Unstructured{ Object: map[string]interface{}{ @@ -35,13 +36,13 @@ func newEngineResponse(policy, rule string, patchesStr []string, success bool, a }, }, }, - PolicyResponse: newPolicyResponse(policy, rule, patchesStr, success), + PolicyResponse: newPolicyResponse(policy, rule, patchesStr, status), } } func Test_empty_annotation(t *testing.T) { patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }` - engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, nil) + engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, response.RuleStatusPass, nil) annPatches := generateAnnotationPatches([]*response.EngineResponse{engineResponse}, log.Log) expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}` @@ -54,7 +55,7 @@ func Test_exist_annotation(t *testing.T) { } patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }` - engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation) + engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, response.RuleStatusPass, annotation) annPatches := generateAnnotationPatches([]*response.EngineResponse{engineResponse}, log.Log) expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}` @@ -67,7 +68,7 @@ func Test_exist_kyverno_annotation(t *testing.T) { } patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }` - engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation) + engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, response.RuleStatusPass, annotation) annPatches := generateAnnotationPatches([]*response.EngineResponse{engineResponse}, log.Log) expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}` @@ -79,11 +80,11 @@ func Test_annotation_nil_patch(t *testing.T) { "policies.kyverno.patches": "old-annotation", } - engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, true, annotation) + engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, response.RuleStatusPass, annotation) annPatches := generateAnnotationPatches([]*response.EngineResponse{engineResponse}, log.Log) assert.Assert(t, annPatches == nil) - engineResponseNew := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{""}, true, annotation) + engineResponseNew := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{""}, response.RuleStatusPass, annotation) annPatchesNew := generateAnnotationPatches([]*response.EngineResponse{engineResponseNew}, log.Log) assert.Assert(t, annPatchesNew == nil) } @@ -93,7 +94,7 @@ func Test_annotation_failed_Patch(t *testing.T) { "policies.kyverno.patches": "old-annotation", } - engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, false, annotation) + engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, response.RuleStatusFail, annotation) annPatches := generateAnnotationPatches([]*response.EngineResponse{engineResponse}, log.Log) assert.Assert(t, annPatches == nil) diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go index 7f0a86ff10..d2420ce343 100644 --- a/pkg/webhooks/common.go +++ b/pkg/webhooks/common.go @@ -47,7 +47,7 @@ func getEnforceFailureErrorMsg(engineResponses []*response.EngineResponse) strin if !er.IsSuccessful() && er.PolicyResponse.ValidationFailureAction == common.Enforce { ruleToReason := make(map[string]string) for _, rule := range er.PolicyResponse.Rules { - if !rule.Success { + if rule.Status != response.RuleStatusPass { ruleToReason[rule.Name] = rule.Message } } @@ -72,7 +72,7 @@ func getErrorMsg(engineReponses []*response.EngineResponse) string { resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy.Name)) for _, rule := range er.PolicyResponse.Rules { - if !rule.Success { + if rule.Status != response.RuleStatusPass { str = append(str, rule.ToString()) } } diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 4c357e45a2..bd6d4efe79 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -86,7 +86,7 @@ func (ws *WebhookServer) handleGenerate( } engineResponse := engine.Generate(policyContext) for _, rule := range engineResponse.PolicyResponse.Rules { - if !rule.Success { + if rule.Status != response.RuleStatusPass { ws.deleteGR(logger, engineResponse) continue } diff --git a/test/e2e/mutate/mutate_test.go b/test/e2e/mutate/mutate_test.go index 0e5f45a635..ad19f2767b 100644 --- a/test/e2e/mutate/mutate_test.go +++ b/test/e2e/mutate/mutate_test.go @@ -216,7 +216,7 @@ func Test_Mutate(t *testing.T) { Expect(err).NotTo(HaveOccurred()) By("Validating created resource with the expected pattern...") - _, err = validate.ValidateResourceWithPattern(log.Log, actual, expected) + _, err = validate.MatchPattern(log.Log, actual, expected) Expect(err).NotTo(HaveOccurred()) By("Deleting Cluster Policies...") From 67660647d91a3f2950dcc50df82c1f0b53625f8e Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 26 Sep 2021 18:30:53 -0700 Subject: [PATCH 09/50] update tests Signed-off-by: Jim Bugwadia --- Makefile | 12 ++- pkg/engine/mutate/strategicPreprocessing.go | 10 +- .../mutate/strategicPreprocessing_test.go | 2 +- pkg/engine/response/response_test.go | 30 ++++++ pkg/engine/response/status.go | 44 +++++++-- pkg/engine/validate/common.go | 8 -- pkg/engine/validate/validate.go | 10 +- pkg/engine/validate/validate_test.go | 2 +- pkg/engine/validation.go | 16 +-- pkg/testrunner/scenario.go | 99 +++++++++++-------- pkg/testrunner/scenario_test.go | 70 +++++++++++++ pkg/testrunner/utils.go | 4 - test/cli/test-fail/missing-rule/test.yaml | 2 +- test/cli/test/simple/test.yaml | 8 +- test/e2e/mutate/mutate_test.go | 2 +- .../other/scenario_mutate_endpoint.yaml | 2 +- .../other/scenario_mutate_pod_spec.yaml | 2 +- .../other/scenario_mutate_validate_qos.yaml | 4 +- .../scenario_validate_default_proc_mount.yaml | 2 +- ...idate_disallow_default_serviceaccount.yaml | 2 +- .../other/scenario_validate_healthChecks.yaml | 4 +- .../scenario_validate_selinux_context.yaml | 2 +- .../scenario_validate_volume_whiltelist.yaml | 2 +- .../best_practices/add_networkPolicy.yaml | 2 +- .../samples/best_practices/add_ns_quota.yaml | 4 +- .../best_practices/add_safe_to_evict.yaml | 2 +- .../best_practices/add_safe_to_evict2.yaml | 2 +- .../disallow_bind_mounts_fail.yaml | 3 +- .../disallow_bind_mounts_pass.yaml | 2 +- .../disallow_host_network_port.yaml | 4 +- .../best_practices/disallow_host_pid_ipc.yaml | 2 +- .../best_practices/disallow_priviledged.yaml | 4 +- .../best_practices/disallow_sysctls.yaml | 2 +- .../more/restrict_automount_sa_token.yaml | 2 +- .../more/restrict_ingress_classes.yaml | 2 +- .../samples/more/unknown_ingress_class.yaml | 2 +- 36 files changed, 253 insertions(+), 119 deletions(-) create mode 100644 pkg/engine/response/response_test.go create mode 100644 pkg/testrunner/scenario_test.go diff --git a/Makefile b/Makefile index a986d19a32..57fbc3e745 100644 --- a/Makefile +++ b/Makefile @@ -148,21 +148,25 @@ create-e2e-infrastruture: ## variables BIN_DIR := $(GOPATH)/bin -GO_ACC := $(BIN_DIR)/go-acc +GO_ACC := $(BIN_DIR)/go-acc@latest CODE_COVERAGE_FILE:= coverage CODE_COVERAGE_FILE_TXT := $(CODE_COVERAGE_FILE).txt CODE_COVERAGE_FILE_HTML := $(CODE_COVERAGE_FILE).html ## targets $(GO_ACC): - @echo " downloading testing tools" - go get -v github.com/ory/go-acc + @echo " installing testing tools" + go install -v github.com/ory/go-acc@latest $(eval export PATH=$(GO_ACC):$(PATH)) # go test provides code coverage per packages only. # go-acc merges the result for pks so that it be used by # go tool cover for reporting -test: test-unit test-e2e test-cmd +test: test-clean test-unit test-e2e test-cmd + +test-clean: + @echo " cleaning test cache" + go clean -testcache ./... # go get downloads and installs the binary diff --git a/pkg/engine/mutate/strategicPreprocessing.go b/pkg/engine/mutate/strategicPreprocessing.go index 3bd2d639da..6bb9c9ec00 100644 --- a/pkg/engine/mutate/strategicPreprocessing.go +++ b/pkg/engine/mutate/strategicPreprocessing.go @@ -325,7 +325,7 @@ func convertRNodeToInterface(document *yaml.RNode) (interface{}, error) { } func checkCondition(logger logr.Logger, pattern *yaml.RNode, resource *yaml.RNode) error { - patternInterface, err := convertRNodeToInterface(pattern) + patternInterface, err := convertRNodeToInterface(pattern); if err != nil { return err } @@ -335,8 +335,12 @@ func checkCondition(logger logr.Logger, pattern *yaml.RNode, resource *yaml.RNod return err } - err = validate.MatchPattern(logger, resourceInterface, patternInterface) - return err + err, _ = validate.MatchPattern(logger, resourceInterface, patternInterface) + if err != nil{ + return err + } + + return nil } func deleteConditionsFromNestedMaps(pattern *yaml.RNode) (bool, error) { diff --git a/pkg/engine/mutate/strategicPreprocessing_test.go b/pkg/engine/mutate/strategicPreprocessing_test.go index 6321a18511..28905473cf 100644 --- a/pkg/engine/mutate/strategicPreprocessing_test.go +++ b/pkg/engine/mutate/strategicPreprocessing_test.go @@ -913,7 +913,7 @@ func Test_CheckConditionAnchor_Matches(t *testing.T) { resource := yaml.MustParse(string(resourceRaw)) err := checkCondition(log.Log, pattern, resource) - assert.NilError(t, err) + assert.Equal(t, err, nil) } func Test_CheckConditionAnchor_DoesNotMatch(t *testing.T) { diff --git a/pkg/engine/response/response_test.go b/pkg/engine/response/response_test.go new file mode 100644 index 0000000000..09687a4087 --- /dev/null +++ b/pkg/engine/response/response_test.go @@ -0,0 +1,30 @@ +package response + +import ( + "gopkg.in/yaml.v2" + "gotest.tools/assert" + "testing" +) + +var sourceYAML = ` +policy: + name: disallow-bind-mounts +resource: + kind: Pod + apiVersion: v1 + name: image-with-hostpath +rules: +- name: validate-hostPath + type: Validation + status: Fail +` + +func Test_parse_yaml(t *testing.T) { + var pr PolicyResponse + if err := yaml.Unmarshal([]byte(sourceYAML), &pr); err != nil { + t.Errorf("failed to parse YAML: %v", err) + return + } + assert.Equal(t, 1, len(pr.Rules)) + assert.Equal(t, RuleStatusFail, pr.Rules[0].Status) +} \ No newline at end of file diff --git a/pkg/engine/response/status.go b/pkg/engine/response/status.go index e782a98a92..627597d568 100644 --- a/pkg/engine/response/status.go +++ b/pkg/engine/response/status.go @@ -22,8 +22,8 @@ const ( RuleStatusSkip ) -func (s RuleStatus) String() string { - return toString[s] +func (s *RuleStatus) String() string { + return toString[*s] } var toString = map[RuleStatus]string{ @@ -43,26 +43,50 @@ var toID = map[string]RuleStatus{ } // MarshalJSON marshals the enum as a quoted json string -func (s RuleStatus) MarshalJSON() ([]byte, error) { +func (s *RuleStatus) MarshalJSON() ([]byte, error) { var b strings.Builder - fmt.Fprintf(&b, "\"%s\"", toString[s]) + fmt.Fprintf(&b, "\"%s\"", toString[*s]) return []byte(b.String()), nil } // UnmarshalJSON unmarshals a quoted json string to the enum value func (s *RuleStatus) UnmarshalJSON(b []byte) error { - var j string - err := json.Unmarshal(b, &j) + var strVal string + err := json.Unmarshal(b, &strVal) if err != nil { return err } + statusVal, err := getRuleStatus(strVal) + if err != nil { + return err + } + + *s = *statusVal + return nil +} + +func getRuleStatus(s string) (*RuleStatus, error){ for k, v := range toID { - if j == k { - *s = v - return nil + if s == k { + return &v, nil } } - return fmt.Errorf("invalid status: %s", j) + return nil, fmt.Errorf("invalid status: %s", s) +} + +func (v *RuleStatus) UnmarshalYAML(unmarshal func(interface{}) error) error { + var s string + if err := unmarshal(&s); err != nil { + return err + } + + statusVal, err := getRuleStatus(s) + if err != nil { + return err + } + + *v = *statusVal + return nil } diff --git a/pkg/engine/validate/common.go b/pkg/engine/validate/common.go index ccb67eb25a..9ec9910d2f 100644 --- a/pkg/engine/validate/common.go +++ b/pkg/engine/validate/common.go @@ -41,11 +41,3 @@ func getRawKeyIfWrappedWithAttributes(str string) string { } } -type PatternError struct { - msg string - Path string -} - -func (p* PatternError) Error() string { - return p.msg -} diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index a49dae9243..acbf1c6f1c 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -14,25 +14,25 @@ import ( // MatchPattern is a start of element-by-element pattern validation process. // It assumes that validation is started from root, so "/" is passed -func MatchPattern(logger logr.Logger, resource, pattern interface{}) *PatternError { +func MatchPattern(logger logr.Logger, resource, pattern interface{}) (error, string) { // newAnchorMap - to check anchor key has values ac := common.NewAnchorMap() elemPath, err := validateResourceElement(logger, resource, pattern, pattern, "/", ac) if err != nil { if common.IsConditionalAnchorError(err.Error()) || common.IsGlobalAnchorError(err.Error()) { logger.V(3).Info(ac.AnchorError.Message) - return &PatternError{ac.AnchorError.Message, ""} + return ac.AnchorError.Error(), "" } if ac.IsAnchorError() { logger.V(3).Info("missing anchor in resource") - return &PatternError{err.Error(), ""} + return err, "" } - return &PatternError{err.Error(), elemPath} + return err, elemPath } - return nil + return nil, "" } // validateResourceElement detects the element type (map, array, nil, string, int, bool, float) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index d2685ff28a..d19038ce8f 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1517,7 +1517,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { err = json.Unmarshal(testCase.resource, &resource) assert.NilError(t, err) - _, err = MatchPattern(log.Log, resource, pattern) + err, _ = MatchPattern(log.Log, resource, pattern) if testCase.nilErr { assert.NilError(t, err, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\n", testCase.name, pattern, resource)) } else { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 0fca50aa3e..09eb5e2450 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -404,13 +404,13 @@ func isSameRuleResponse(r1 *response.RuleResponse, r2 *response.RuleResponse) bo // validatePatterns validate pattern and anyPattern func (v *validator) validatePatterns(resource unstructured.Unstructured) *response.RuleResponse { if v.pattern != nil { - if err := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { - v.log.V(3).Info("validation error", "path", err.Path, "error", err.Error()) - if err.Path == "" { + if err, path := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { + v.log.V(3).Info("validation error", "path", path, "error", err.Error()) + if path == "" { return ruleResponse(v.rule, v.buildErrorMessage(err, ""), response.RuleStatusError) } - return ruleResponse(v.rule, v.buildErrorMessage(err, err.Path), response.RuleStatusFail) + return ruleResponse(v.rule, v.buildErrorMessage(err, path), response.RuleStatusFail) } v.log.V(4).Info("successfully processed rule") @@ -429,18 +429,18 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *respon } for idx, pattern := range anyPatterns { - err := validate.MatchPattern(v.log, resource.Object, pattern) + err, path := validate.MatchPattern(v.log, resource.Object, pattern) if err == nil { msg := fmt.Sprintf("validation rule '%s' anyPattern[%d] passed.", v.rule.Name, idx) return ruleResponse(v.rule, msg, response.RuleStatusPass) } - v.log.V(3).Info("validation rule failed", "anyPattern[%d]", idx, "path", err.Path) - if err.Path == "" { + v.log.V(3).Info("validation rule failed", "anyPattern[%d]", idx, "path", path) + if path == "" { patternErr := fmt.Errorf("Rule %s[%d] failed: %s.", v.rule.Name, idx, err.Error()) failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) } else { - patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", v.rule.Name, idx, err.Path) + patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", v.rule.Name, idx, path) failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) } } diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go index a0500bf442..b4c6e2b21d 100644 --- a/pkg/testrunner/scenario.go +++ b/pkg/testrunner/scenario.go @@ -3,9 +3,11 @@ package testrunner import ( "bytes" "encoding/json" + "github.com/stretchr/testify/assert" "io/ioutil" "os" ospath "path" + "path/filepath" "reflect" "testing" @@ -14,83 +16,94 @@ import ( "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/response" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime" + k8sRuntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" apiyaml "k8s.io/apimachinery/pkg/util/yaml" "k8s.io/client-go/kubernetes/scheme" + "path" + "runtime" ) -type scenarioT struct { - testCases []scaseT +type Scenario struct { + TestCases []TestCase } -//scase defines input and output for a case -type scaseT struct { - Input sInput `yaml:"input"` - Expected sExpected `yaml:"expected"` +//CaseT defines input and output for a case +type TestCase struct { + Input Input `yaml:"input"` + Expected Expected `yaml:"expected"` } -//sInput defines input for a test scenario -type sInput struct { +//Input defines input for a test scenario +type Input struct { Policy string `yaml:"policy"` Resource string `yaml:"resource"` LoadResources []string `yaml:"loadresources,omitempty"` } -type sExpected struct { - Mutation sMutation `yaml:"mutation,omitempty"` - Validation sValidation `yaml:"validation,omitempty"` - Generation sGeneration `yaml:"generation,omitempty"` +type Expected struct { + Mutation Mutation `yaml:"mutation,omitempty"` + Validation Validation `yaml:"validation,omitempty"` + Generation Generation `yaml:"generation,omitempty"` } -type sMutation struct { +type Mutation struct { // path to the patched resource to be compared with PatchedResource string `yaml:"patchedresource,omitempty"` // expected response from the policy engine PolicyResponse response.PolicyResponse `yaml:"policyresponse"` } -type sValidation struct { +type Validation struct { // expected response from the policy engine PolicyResponse response.PolicyResponse `yaml:"policyresponse"` } -type sGeneration struct { +type Generation struct { // generated resources GeneratedResources []kyverno.ResourceSpec `yaml:"generatedResources"` // expected response from the policy engine PolicyResponse response.PolicyResponse `yaml:"policyresponse"` } -//getRelativePath expects a path relative to project and builds the complete path -func getRelativePath(path string) string { - gp := os.Getenv("GOPATH") - ap := ospath.Join(gp, projectPath) - return ospath.Join(ap, path) +// RootDir returns the kyverno project directory based on the location of the current file. +// It assumes that the project directory is 2 levels up. This means if this function is moved +// it may not work as expected. +func RootDir() string { + _, b, _, _ := runtime.Caller(0) + d := path.Join(path.Dir(b)) + d = filepath.Dir(d) + return filepath.Dir(d) } -func loadScenario(t *testing.T, path string) (*scenarioT, error) { - fileBytes, err := loadFile(t, path) - if err != nil { - return nil, err - } +//getRelativePath expects a path relative to project and builds the complete path +func getRelativePath(path string) string { + root := RootDir() + return ospath.Join(root, path) +} - var testCases []scaseT +func loadScenario(t *testing.T, path string) (*Scenario, error) { + fileBytes, err := loadFile(t, path) + assert.Nil(t, err) + + var testCases []TestCase // load test cases separated by '---' // each test case defines an input & expected result scenariosBytes := bytes.Split(fileBytes, []byte("---")) - for _, scenarioBytes := range scenariosBytes { - tc := scaseT{} - if err := yaml.Unmarshal([]byte(scenarioBytes), &tc); err != nil { + for _, testCaseBytes := range scenariosBytes { + var tc TestCase + if err := yaml.Unmarshal(testCaseBytes, &tc); err != nil { t.Errorf("failed to decode test case YAML: %v", err) continue } + testCases = append(testCases, tc) } - scenario := scenarioT{ - testCases: testCases, + + scenario := Scenario{ + TestCases: testCases, } return &scenario, nil @@ -106,14 +119,14 @@ func loadFile(t *testing.T, path string) ([]byte, error) { return ioutil.ReadFile(path) } -func runScenario(t *testing.T, s *scenarioT) bool { - for _, tc := range s.testCases { +func runScenario(t *testing.T, s *Scenario) bool { + for _, tc := range s.TestCases { runTestCase(t, tc) } return true } -func runTestCase(t *testing.T, tc scaseT) bool { +func runTestCase(t *testing.T, tc TestCase) bool { policy := loadPolicy(t, tc.Input.Policy) if policy == nil { t.Error("Policy not loaded") @@ -311,7 +324,7 @@ func compareRules(t *testing.T, rule response.RuleResponse, expectedRule respons // success if rule.Status != expectedRule.Status { - t.Errorf("rule success: expected %v, received %v", expectedRule.Status, rule.Status) + t.Errorf("rule status mismatch: expected %s, received %s", expectedRule.Status.String(), rule.Status.String()) } } @@ -330,7 +343,7 @@ func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured { } func getClient(t *testing.T, files []string) *client.Client { - var objects []runtime.Object + var objects []k8sRuntime.Object if files != nil { for _, file := range files { @@ -338,7 +351,7 @@ func getClient(t *testing.T, files []string) *client.Client { } } // create mock client - scheme := runtime.NewScheme() + scheme := k8sRuntime.NewScheme() // mock client expects the resource to be as runtime.Object c, err := client.NewMockClient(scheme, nil, objects...) if err != nil { @@ -352,7 +365,7 @@ func getClient(t *testing.T, files []string) *client.Client { return c } -func getGVRForResources(objects []runtime.Object) []schema.GroupVersionResource { +func getGVRForResources(objects []k8sRuntime.Object) []schema.GroupVersionResource { var gvrs []schema.GroupVersionResource for _, obj := range objects { gvk := obj.GetObjectKind().GroupVersionKind() @@ -380,7 +393,7 @@ func loadResource(t *testing.T, path string) []*unstructured.Unstructured { continue } - data, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&obj) + data, err := k8sRuntime.DefaultUnstructuredConverter.ToUnstructured(&obj) if err != nil { t.Logf("failed to unmarshall resource. %v", err) continue @@ -392,8 +405,8 @@ func loadResource(t *testing.T, path string) []*unstructured.Unstructured { return unstrResources } -func loadObjects(t *testing.T, path string) []runtime.Object { - var resources []runtime.Object +func loadObjects(t *testing.T, path string) []k8sRuntime.Object { + var resources []k8sRuntime.Object t.Logf("loading objects from %s", path) data, err := loadFile(t, path) if err != nil { diff --git a/pkg/testrunner/scenario_test.go b/pkg/testrunner/scenario_test.go new file mode 100644 index 0000000000..001d4d4ae1 --- /dev/null +++ b/pkg/testrunner/scenario_test.go @@ -0,0 +1,70 @@ +package testrunner + +import ( + "github.com/kyverno/kyverno/pkg/engine/response" + "gopkg.in/yaml.v3" + "gotest.tools/assert" + "io/ioutil" + "testing" +) + +var sourceYAML = ` +input: + policy: test/best_practices/disallow_bind_mounts.yaml + resource: test/resources/disallow_host_filesystem.yaml +expected: + validation: + policyresponse: + policy: + namespace: '' + name: disallow-bind-mounts + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: image-with-hostpath + rules: + - name: validate-hostPath + type: Validation + status: Fail +` + +func Test_parse_yaml(t *testing.T) { + var s TestCase + if err := yaml.Unmarshal([]byte(sourceYAML), &s); err != nil { + t.Errorf("failed to parse YAML: %v", err) + return + } + + assert.Equal(t, s.Expected.Validation.PolicyResponse.Policy.Name, "disallow-bind-mounts") + assert.Equal(t, 1, len(s.Expected.Validation.PolicyResponse.Rules), "invalid rule count") + assert.Equal(t, response.RuleStatusFail, s.Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status") +} + +func Test_parse_file(t *testing.T) { + s, err := loadScenario(t, "test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml") + assert.NilError(t, err) + + assert.Equal(t, 1, len(s.TestCases)) + assert.Equal(t, s.TestCases[0].Expected.Validation.PolicyResponse.Policy.Name, "disallow-bind-mounts") + assert.Equal(t, 1, len(s.TestCases[0].Expected.Validation.PolicyResponse.Rules), "invalid rule count") + assert.Equal(t, response.RuleStatusFail, s.TestCases[0].Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status") +} + + +func Test_parse_file2(t *testing.T) { + path := getRelativePath("test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml") + data, err := ioutil.ReadFile(path) + assert.NilError(t, err) + + strData := string(data) + var s TestCase + if err := yaml.Unmarshal([]byte(strData), &s); err != nil { + t.Errorf("failed to parse YAML: %v", err) + return + } + + assert.Equal(t, s.Expected.Validation.PolicyResponse.Policy.Name, "disallow-bind-mounts") + assert.Equal(t, 1, len(s.Expected.Validation.PolicyResponse.Rules), "invalid rule count") + assert.Equal(t, response.RuleStatusFail, s.Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status") +} diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go index bd63e9c62d..43600a0af6 100644 --- a/pkg/testrunner/utils.go +++ b/pkg/testrunner/utils.go @@ -8,10 +8,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" ) -var ( - projectPath = envOr("PROJECT_PATH", "src/github.com/kyverno/kyverno") -) - // LoadFile loads file in byte buffer func LoadFile(path string) ([]byte, error) { if _, err := os.Stat(path); os.IsNotExist(err) { diff --git a/test/cli/test-fail/missing-rule/test.yaml b/test/cli/test-fail/missing-rule/test.yaml index 78b6f68665..2eef4e23ea 100644 --- a/test/cli/test-fail/missing-rule/test.yaml +++ b/test/cli/test-fail/missing-rule/test.yaml @@ -7,4 +7,4 @@ results: - policy: disallow-latest-tag rule: missing resource: test - status: pass + status: Pass diff --git a/test/cli/test/simple/test.yaml b/test/cli/test/simple/test.yaml index e5b6b01ec0..d2b48139c6 100644 --- a/test/cli/test/simple/test.yaml +++ b/test/cli/test/simple/test.yaml @@ -7,11 +7,11 @@ results: - policy: disallow-latest-tag rule: require-image-tag resource: test-require-image-tag-pass - status: pass + status: Pass - policy: disallow-latest-tag rule: require-image-tag resource: test-require-image-tag-fail - status: fail + status: Fail - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-ignore @@ -19,8 +19,8 @@ results: - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-fail - status: fail + status: Fail - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-pass - status: pass + status: Pass diff --git a/test/e2e/mutate/mutate_test.go b/test/e2e/mutate/mutate_test.go index ad19f2767b..621445a2cd 100644 --- a/test/e2e/mutate/mutate_test.go +++ b/test/e2e/mutate/mutate_test.go @@ -216,7 +216,7 @@ func Test_Mutate(t *testing.T) { Expect(err).NotTo(HaveOccurred()) By("Validating created resource with the expected pattern...") - _, err = validate.MatchPattern(log.Log, actual, expected) + err, _ = validate.MatchPattern(log.Log, actual, expected) Expect(err).NotTo(HaveOccurred()) By("Deleting Cluster Policies...") diff --git a/test/scenarios/other/scenario_mutate_endpoint.yaml b/test/scenarios/other/scenario_mutate_endpoint.yaml index 6b56e2f821..6cbc87316e 100644 --- a/test/scenarios/other/scenario_mutate_endpoint.yaml +++ b/test/scenarios/other/scenario_mutate_endpoint.yaml @@ -17,5 +17,5 @@ expected: rules: - name: pEP type: Mutation - success: true + status: Pass message: successfully process JSON patches diff --git a/test/scenarios/other/scenario_mutate_pod_spec.yaml b/test/scenarios/other/scenario_mutate_pod_spec.yaml index 10a662edb2..165930d718 100644 --- a/test/scenarios/other/scenario_mutate_pod_spec.yaml +++ b/test/scenarios/other/scenario_mutate_pod_spec.yaml @@ -16,5 +16,5 @@ expected: rules: - name: disable-servicelink-and-token type: Mutation - success: true + status: Pass message: successfully processed strategic merge patch \ No newline at end of file diff --git a/test/scenarios/other/scenario_mutate_validate_qos.yaml b/test/scenarios/other/scenario_mutate_validate_qos.yaml index a061ee4560..88ff5f52d6 100644 --- a/test/scenarios/other/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/other/scenario_mutate_validate_qos.yaml @@ -17,7 +17,7 @@ expected: rules: - name: add-memory-limit type: Mutation - success: true + status: Pass message: successfully processed strategic merge patch validation: policyresponse: @@ -33,4 +33,4 @@ expected: - name: check-cpu-memory-limits type: Validation message: validation rule 'check-cpu-memory-limits' passed. - success: true \ No newline at end of file + status: Pass \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_default_proc_mount.yaml b/test/scenarios/other/scenario_validate_default_proc_mount.yaml index 8d506c7494..fd3340b29f 100644 --- a/test/scenarios/other/scenario_validate_default_proc_mount.yaml +++ b/test/scenarios/other/scenario_validate_default_proc_mount.yaml @@ -18,4 +18,4 @@ expected: - name: validate-default-proc-mount type: Validation message: "validation rule 'validate-default-proc-mount' passed." - success: true \ No newline at end of file + status: Pass \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml index 686d414840..40dffaf73b 100644 --- a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml +++ b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml @@ -17,4 +17,4 @@ expected: - name: prevent-mounting-default-serviceaccount type: Validation message: "validation error: Prevent mounting of default service account. Rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/" - success: false \ No newline at end of file + status: Fail \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_healthChecks.yaml b/test/scenarios/other/scenario_validate_healthChecks.yaml index 6c802ba7d3..c892b9f373 100644 --- a/test/scenarios/other/scenario_validate_healthChecks.yaml +++ b/test/scenarios/other/scenario_validate_healthChecks.yaml @@ -17,8 +17,8 @@ expected: - name: check-readinessProbe-exists type: Validation message: validation rule 'check-readinessProbe-exists' passed. - success: true + status: Pass - name: check-livenessProbe-exists type: Validation message: validation rule 'check-livenessProbe-exists' passed. - success: true + status: Pass diff --git a/test/scenarios/other/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml index 302b01f175..ecf777bf29 100644 --- a/test/scenarios/other/scenario_validate_selinux_context.yaml +++ b/test/scenarios/other/scenario_validate_selinux_context.yaml @@ -17,4 +17,4 @@ expected: - name: validate-selinux-options type: Validation message: "validation error: SELinux level is required. Rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/" - success: false \ No newline at end of file + status: Fail \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml index c7503fe1fa..6b3ded8bfa 100644 --- a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml +++ b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml @@ -18,4 +18,4 @@ expected: - name: validate-volumes-whitelist type: Validation message: "validation rule 'validate-volumes-whitelist' anyPattern[2] passed." - success: true \ No newline at end of file + status: Pass \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_networkPolicy.yaml b/test/scenarios/samples/best_practices/add_networkPolicy.yaml index 6825c6a414..558ce91f96 100644 --- a/test/scenarios/samples/best_practices/add_networkPolicy.yaml +++ b/test/scenarios/samples/best_practices/add_networkPolicy.yaml @@ -20,5 +20,5 @@ expected: rules: - name: default-deny-ingress type: Generation - success: true + status: Pass message: created resource NetworkPolicy/devtest/default-deny-ingress diff --git a/test/scenarios/samples/best_practices/add_ns_quota.yaml b/test/scenarios/samples/best_practices/add_ns_quota.yaml index 9d179aabb3..f02c04fa94 100644 --- a/test/scenarios/samples/best_practices/add_ns_quota.yaml +++ b/test/scenarios/samples/best_practices/add_ns_quota.yaml @@ -20,7 +20,7 @@ expected: rules: - name: generate-resourcequota type: Generation - success: true + status: Pass - name: generate-limitrange type: Generation - success: true + status: Pass diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml index 30f3429ca9..a6721436f8 100644 --- a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml +++ b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml @@ -17,5 +17,5 @@ expected: rules: - name: annotate-empty-dir type: Mutation - success: true + status: Pass message: "successfully processed strategic merge patch" \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml index 4bd9ebb28d..c1ed183500 100644 --- a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml +++ b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml @@ -17,5 +17,5 @@ expected: rules: - name: annotate-host-path type: Mutation - success: true + status: Pass message: "successfully processed strategic merge patch" \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml index 02ab854227..490b1d3185 100644 --- a/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml @@ -15,5 +15,6 @@ expected: name: image-with-hostpath rules: - name: validate-hostPath + message: "validation error: Host path volumes are not allowed. Rule validate-hostPath failed at path /spec/volumes/0/hostPath/" type: Validation - success: false \ No newline at end of file + status: Fail diff --git a/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml index 35ebbf6fd0..19d8a8edac 100644 --- a/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-hostPath type: Validation - success: true \ No newline at end of file + status: Pass \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml index 757996ec10..3560cf85cf 100644 --- a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml +++ b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml @@ -16,7 +16,7 @@ expected: rules: - name: validate-host-network type: Validation - success: true + status: Pass - name: validate-host-port type: Validation - success: false + status: Fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml index 60d224b44c..0bedc4f1df 100644 --- a/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml +++ b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-hostPID-hostIPC type: Validation - success: false \ No newline at end of file + status: Fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_priviledged.yaml b/test/scenarios/samples/best_practices/disallow_priviledged.yaml index 42891aca3d..8a418989db 100644 --- a/test/scenarios/samples/best_practices/disallow_priviledged.yaml +++ b/test/scenarios/samples/best_practices/disallow_priviledged.yaml @@ -16,7 +16,7 @@ expected: rules: - name: validate-privileged type: Validation - success: false + status: Fail - name: validate-allowPrivilegeEscalation type: Validation - success: false + status: Fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_sysctls.yaml b/test/scenarios/samples/best_practices/disallow_sysctls.yaml index d6cc4fe650..79724bc503 100644 --- a/test/scenarios/samples/best_practices/disallow_sysctls.yaml +++ b/test/scenarios/samples/best_practices/disallow_sysctls.yaml @@ -17,4 +17,4 @@ expected: rules: - name: validate-sysctls type: Validation - success: false \ No newline at end of file + status: Fail \ No newline at end of file diff --git a/test/scenarios/samples/more/restrict_automount_sa_token.yaml b/test/scenarios/samples/more/restrict_automount_sa_token.yaml index 6d95e5657e..8d39da19bd 100644 --- a/test/scenarios/samples/more/restrict_automount_sa_token.yaml +++ b/test/scenarios/samples/more/restrict_automount_sa_token.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-automountServiceAccountToken type: Validation - success: true \ No newline at end of file + status: Pass \ No newline at end of file diff --git a/test/scenarios/samples/more/restrict_ingress_classes.yaml b/test/scenarios/samples/more/restrict_ingress_classes.yaml index ef6569ed2c..adc5c3a61e 100644 --- a/test/scenarios/samples/more/restrict_ingress_classes.yaml +++ b/test/scenarios/samples/more/restrict_ingress_classes.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-ingress type: Validation - success: true \ No newline at end of file + status: Pass \ No newline at end of file diff --git a/test/scenarios/samples/more/unknown_ingress_class.yaml b/test/scenarios/samples/more/unknown_ingress_class.yaml index 4c731552c4..7f096d8ac5 100644 --- a/test/scenarios/samples/more/unknown_ingress_class.yaml +++ b/test/scenarios/samples/more/unknown_ingress_class.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-ingress type: Validation - success: false \ No newline at end of file + status: Fail \ No newline at end of file From 536b64bed11af9172d20e522fc840b44e53ebbbf Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 26 Sep 2021 21:15:13 -0700 Subject: [PATCH 10/50] fix tests Signed-off-by: Jim Bugwadia --- pkg/engine/validate/validate_test.go | 55 ++++++++++++++++++---------- pkg/kyverno/apply/report_test.go | 8 ++-- 2 files changed, 40 insertions(+), 23 deletions(-) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index d19038ce8f..36b43b8319 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1394,11 +1394,6 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { pattern: []byte(`{"spec": {"containers": [{"name": "*","(image)": "*:latest | !*:*","imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), nilErr: false, - }, { - name: "check global anchor", - pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - nilErr: true, }, { name: "test-4", @@ -1511,19 +1506,41 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { } for _, testCase := range testCases { - var pattern, resource interface{} - err := json.Unmarshal(testCase.pattern, &pattern) - assert.NilError(t, err) - err = json.Unmarshal(testCase.resource, &resource) - assert.NilError(t, err) - - err, _ = MatchPattern(log.Log, resource, pattern) - if testCase.nilErr { - assert.NilError(t, err, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\n", testCase.name, pattern, resource)) - } else { - assert.Assert(t, - err != nil, - fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\nmsg: %v", testCase.name, pattern, resource, err)) - } + executeTestCase(t, testCase) + } +} + +func Test_global_anchor(t *testing.T) { + testCases := []struct { + name string + pattern []byte + resource []byte + nilErr bool + } { + { + name: "check global anchor", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + nilErr: false, + }, + } + + executeTestCase(t, testCases[0]) +} + +func executeTestCase(t *testing.T, testCase struct {name string;pattern []byte;resource []byte;nilErr bool}) { + var pattern, resource interface{} + err := json.Unmarshal(testCase.pattern, &pattern) + assert.NilError(t, err) + err = json.Unmarshal(testCase.resource, &resource) + assert.NilError(t, err) + + err, _ = MatchPattern(log.Log, resource, pattern) + if testCase.nilErr { + assert.NilError(t, err, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\n", testCase.name, pattern, resource)) + } else { + assert.Assert(t, + err != nil, + fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\nmsg: %v", testCase.name, pattern, resource, err)) } } diff --git a/pkg/kyverno/apply/report_test.go b/pkg/kyverno/apply/report_test.go index 594e47d28a..1abe4d56cc 100644 --- a/pkg/kyverno/apply/report_test.go +++ b/pkg/kyverno/apply/report_test.go @@ -86,7 +86,7 @@ var rawPolicy = []byte(` } `) -var rawEngRes = []byte(`{"PatchedResource":{"apiVersion":"v1","kind":"Pod","metadata":{"name":"nginx1","namespace":"default"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"IfNotPresent","name":"nginx","resources":{"limits":{"cpu":"200m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"50Mi"}}}]}},"PolicyResponse":{"policy":{"name":"pod-requirements","namespace":""},"resource":{"kind":"Pod","apiVersion":"v1","namespace":"default","name":"nginx1","uid":""},"processingTime":974958,"rulesAppliedCount":2,"policyExecutionTimestamp":1630527712,"rules":[{"name":"pods-require-account","type":"Validation","message":"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/","success":false,"processingTime":28833,"ruleExecutionTimestamp":1630527712},{"name":"pods-require-limits","type":"Validation","message":"validation rule 'pods-require-limits' passed.","success":true,"processingTime":578625,"ruleExecutionTimestamp":1630527712}],"ValidationFailureAction":"audit"}}`) +var rawEngRes = []byte(`{"PatchedResource":{"apiVersion":"v1","kind":"Pod","metadata":{"name":"nginx1","namespace":"default"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"IfNotPresent","name":"nginx","resources":{"limits":{"cpu":"200m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"50Mi"}}}]}},"PolicyResponse":{"policy":{"name":"pod-requirements","namespace":""},"resource":{"kind":"Pod","apiVersion":"v1","namespace":"default","name":"nginx1","uid":""},"processingTime":974958,"rulesAppliedCount":2,"policyExecutionTimestamp":1630527712,"rules":[{"name":"pods-require-account","type":"Validation","message":"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/","status":"Fail","processingTime":28833,"ruleExecutionTimestamp":1630527712},{"name":"pods-require-limits","type":"Validation","message":"validation rule 'pods-require-limits' passed.","status":"Pass","processingTime":578625,"ruleExecutionTimestamp":1630527712}],"ValidationFailureAction":"audit"}}`) func Test_buildPolicyReports(t *testing.T) { os.Setenv("POLICY-TYPE", common.PolicyReport) @@ -118,9 +118,9 @@ func Test_buildPolicyReports(t *testing.T) { assert.Assert(t, report.GetName() == "policyreport-ns-default") assert.Assert(t, report.GetKind() == "PolicyReport") assert.Assert(t, len(report.UnstructuredContent()["results"].([]interface{})) == 2) - assert.Assert(t, - report.UnstructuredContent()["summary"].(map[string]interface{})[preport.StatusPass].(int64) == 1, - report.UnstructuredContent()["summary"].(map[string]interface{})[preport.StatusPass].(int64)) + + summary := report.UnstructuredContent()["summary"].(map[string]interface{}) + assert.Assert(t, summary[preport.StatusPass].(int64) == 1, summary[preport.StatusPass].(int64)) } } } From 6a81bb7cc32f38178402ffe8db0fd480e5305234 Mon Sep 17 00:00:00 2001 From: Kumar Mallikarjuna Date: Tue, 28 Sep 2021 00:14:56 +0530 Subject: [PATCH 11/50] Escape references (#2433) * Escape references Signed-off-by: Kumar Mallikarjuna * Additional tests Signed-off-by: Kumar Mallikarjuna --- pkg/engine/variables/vars.go | 46 +++++++++++++++++++++++--- pkg/engine/variables/vars_test.go | 55 +++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 4 deletions(-) diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index b3ef7da034..587bc5e758 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -18,7 +18,12 @@ import ( ) var RegexVariables = regexp.MustCompile(`\{\{[^{}]*\}\}`) -var RegexReferences = regexp.MustCompile(`\$\(.[^\ ]*\)`) + +// Regex for '$(...)' at the beginning of the string, and 'x$(...)' where 'x' is not '\' +var RegexReferences = regexp.MustCompile(`^\$\(.[^\ ]*\)|[^\\]\$\(.[^\ ]*\)`) + +// Regex for '\$(...)' +var RegexEscpReferences = regexp.MustCompile(`\\\$\(.[^\ ]*\)`) // IsVariable returns true if the element contains a 'valid' variable {{}} func IsVariable(value string) bool { @@ -156,6 +161,13 @@ func substituteReferencesIfAny(log logr.Logger) jsonUtils.Action { } for _, v := range RegexReferences.FindAllString(value, -1) { + initial := v[:2] == `$(` + v_old := v + + if !initial { + v = v[1:] + } + resolvedReference, err := resolveReference(log, data.Document, v, data.Path) if err != nil { switch err.(type) { @@ -173,7 +185,15 @@ func substituteReferencesIfAny(log logr.Logger) jsonUtils.Action { log.V(3).Info("reference resolved", "reference", v, "value", resolvedReference, "path", data.Path) if val, ok := resolvedReference.(string); ok { - value = strings.Replace(value, v, val, -1) + replace_with := "" + + if !initial { + replace_with = string(v_old[0]) + } + + replace_with += val + + value = strings.Replace(value, v_old, replace_with, 1) continue } @@ -183,6 +203,10 @@ func substituteReferencesIfAny(log logr.Logger) jsonUtils.Action { } } + for _, v := range RegexEscpReferences.FindAllString(value, -1) { + value = strings.Replace(value, v, v[1:], -1) + } + return value, nil }) } @@ -329,6 +353,12 @@ func valFromReferenceToString(value interface{}, operator string) (string, error func FindAndShiftReferences(log logr.Logger, value, shift, pivot string) string { for _, reference := range RegexReferences.FindAllString(value, -1) { + initial := reference[:2] == `$(` + reference_old := reference + + if !initial { + reference = reference[1:] + } index := strings.Index(reference, pivot) if index == -1 { @@ -341,8 +371,16 @@ func FindAndShiftReferences(log logr.Logger, value, shift, pivot string) string pivot = pivot + "/" + ruleIndex } - shiftedReference := strings.Replace(reference, pivot, pivot+"/"+shift, 1) - value = strings.Replace(value, reference, shiftedReference, -1) + shiftedReference := strings.Replace(reference, pivot, pivot+"/"+shift, -1) + replace_with := "" + + if !initial { + replace_with = string(reference_old[0]) + } + + replace_with += shiftedReference + + value = strings.Replace(value, reference_old, replace_with, 1) } return value diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go index 1ea7320311..b86b95ae31 100644 --- a/pkg/engine/variables/vars_test.go +++ b/pkg/engine/variables/vars_test.go @@ -1063,3 +1063,58 @@ func TestFindAndShiftReferences_AnyPatternPositiveCase(t *testing.T) { assert.Equal(t, expectedMessage, actualMessage) } + +func Test_EscpReferenceSubstitution(t *testing.T) { + jsonRaw := []byte(` + { + "metadata": { + "name": "temp", + "namespace": "n1", + "annotations": { + "test1": "$(../../../../spec/namespace)", + "test2": "\\$(ENV_VAR)", + "test3": "\\${ENV_VAR}", + "test4": "\\\\\\${ENV_VAR}" + } + }, + "(spec)": { + "namespace": "n1", + "name": "temp1" + } + }`) + + expectedJSON := []byte(` + { + "metadata": { + "name": "temp", + "namespace": "n1", + "annotations": { + "test1": "n1", + "test2": "$(ENV_VAR)", + "test3": "\\${ENV_VAR}", + "test4": "\\\\\\${ENV_VAR}" + } + }, + "(spec)": { + "namespace": "n1", + "name": "temp1" + } + }`) + + var document interface{} + err := json.Unmarshal(jsonRaw, &document) + assert.NilError(t, err) + + var expectedDocument interface{} + err = json.Unmarshal(expectedJSON, &expectedDocument) + assert.NilError(t, err) + + ctx := context.NewContext() + err = ctx.AddResource(jsonRaw) + assert.NilError(t, err) + + actualDocument, err := SubstituteAll(log.Log, ctx, document) + assert.NilError(t, err) + + assert.DeepEqual(t, expectedDocument, actualDocument) +} From a905a615812f01c278a582defaff9818d8994509 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 27 Sep 2021 14:28:55 -0700 Subject: [PATCH 12/50] fix deny rules Signed-off-by: Jim Bugwadia --- pkg/engine/common/utils.go | 21 ++ pkg/engine/context/context.go | 1 + pkg/engine/mutation.go | 2 +- pkg/engine/mutation_test.go | 2 +- pkg/engine/policyContext.go | 15 ++ pkg/engine/validate/validate.go | 6 +- pkg/engine/validate/validate_test.go | 19 +- pkg/engine/validation.go | 52 ++-- pkg/engine/validation_test.go | 344 ++++++++++++++++++++++++++- pkg/engine/variables/vars.go | 2 +- 10 files changed, 431 insertions(+), 33 deletions(-) diff --git a/pkg/engine/common/utils.go b/pkg/engine/common/utils.go index aa84e694fd..3e8f98b774 100644 --- a/pkg/engine/common/utils.go +++ b/pkg/engine/common/utils.go @@ -1,5 +1,7 @@ package common +import "encoding/json" + // CopyMap creates a full copy of the target map func CopyMap(m map[string]interface{}) map[string]interface{} { mapCopy := make(map[string]interface{}) @@ -17,3 +19,22 @@ func CopySlice(s []interface{}) []interface{} { return sliceCopy } + +func ToMap(data interface{}) (map[string]interface{}, error) { + if m, ok := data.(map[string]interface{}); ok { + return m, nil + } + + b, err := json.Marshal(data) + if err != nil { + return nil, err + } + + mapData := make(map[string]interface{}) + err = json.Unmarshal(b, &mapData) + if err != nil { + return nil, err + } + + return mapData, nil +} \ No newline at end of file diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go index 4df504a047..408dc15ed8 100644 --- a/pkg/engine/context/context.go +++ b/pkg/engine/context/context.go @@ -188,6 +188,7 @@ func (ctx *Context) AddResourceAsObject(data interface{}) error { ctx.log.Error(err, "failed to marshal the resource") return err } + return ctx.AddJSON(objRaw) } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index b3e69d8606..f453e9173e 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -117,7 +117,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { ruleResp := response.RuleResponse{ Name: ruleCopy.Name, Type: utils.Validation.String(), - Message: fmt.Sprintf("variable substitution failed for rule %s: %s", ruleCopy.Name, err.Error()), + Message: fmt.Sprintf("variable substitution failed: %s", err.Error()), Status: response.RuleStatusPass, } diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index f242d6fbd3..d5aa5b69b2 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -157,7 +157,7 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) { JSONContext: ctx, NewResource: *resourceUnstructured} er := Mutate(policyContext) - expectedErrorStr := "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path" + expectedErrorStr := "variable substitution failed: Unknown key \"name1\" in path" assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr) } diff --git a/pkg/engine/policyContext.go b/pkg/engine/policyContext.go index e4cf4c1584..1d55ef0b0e 100644 --- a/pkg/engine/policyContext.go +++ b/pkg/engine/policyContext.go @@ -40,3 +40,18 @@ type PolicyContext struct { // NamespaceLabels stores the label of namespace to be processed by namespace selector NamespaceLabels map[string]string } + +func (pc *PolicyContext) Copy() *PolicyContext { + return &PolicyContext{ + Policy: pc.Policy, + NewResource: pc.NewResource, + OldResource: pc.OldResource, + AdmissionInfo: pc.AdmissionInfo, + Client: pc.Client, + ExcludeGroupRole: pc.ExcludeGroupRole, + ExcludeResourceFunc: pc.ExcludeResourceFunc, + ResourceCache: pc.ResourceCache, + JSONContext: pc.JSONContext, + NamespaceLabels: pc.NamespaceLabels, + } +} \ No newline at end of file diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index acbf1c6f1c..fb19489e18 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -19,11 +19,13 @@ func MatchPattern(logger logr.Logger, resource, pattern interface{}) (error, str ac := common.NewAnchorMap() elemPath, err := validateResourceElement(logger, resource, pattern, pattern, "/", ac) if err != nil { + // if conditional or global anchors report errors, the rule does not apply to the resource if common.IsConditionalAnchorError(err.Error()) || common.IsGlobalAnchorError(err.Error()) { - logger.V(3).Info(ac.AnchorError.Message) - return ac.AnchorError.Error(), "" + logger.V(3).Info("skipping resource as anchor does not apply", "msg", ac.AnchorError.Error()) + return nil, "" } + // check if an anchor defined in the policy rule is missing in the resource if ac.IsAnchorError() { logger.V(3).Info("missing anchor in resource") return err, "" diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 36b43b8319..0fd3b5e35b 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1506,7 +1506,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { } for _, testCase := range testCases { - executeTestCase(t, testCase) + testMatchPattern(t, testCase) } } @@ -1518,17 +1518,24 @@ func Test_global_anchor(t *testing.T) { nilErr bool } { { - name: "check global anchor", + name: "check global anchor_skip", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), - resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:v1", "imagePullPolicy": "Always"}]}}`), + nilErr: true, + }, + { + name: "check global anchor_apply", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:latest", "imagePullPolicy": "Always"}]}}`), nilErr: false, }, } - executeTestCase(t, testCases[0]) + testMatchPattern(t, testCases[0]) + testMatchPattern(t, testCases[1]) } -func executeTestCase(t *testing.T, testCase struct {name string;pattern []byte;resource []byte;nilErr bool}) { +func testMatchPattern(t *testing.T, testCase struct {name string;pattern []byte;resource []byte;nilErr bool}) { var pattern, resource interface{} err := json.Unmarshal(testCase.pattern, &pattern) assert.NilError(t, err) @@ -1543,4 +1550,4 @@ func executeTestCase(t *testing.T, testCase struct {name string;pattern []b err != nil, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\nmsg: %v", testCase.name, pattern, resource, err)) } -} +} \ No newline at end of file diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 09eb5e2450..0e1865c26d 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -3,6 +3,7 @@ package engine import ( "encoding/json" "fmt" + "github.com/kyverno/kyverno/pkg/engine/common" "github.com/pkg/errors" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" "reflect" @@ -189,7 +190,7 @@ func (v *validator) validate() *response.RuleResponse { return ruleResponse(v.rule, "", response.RuleStatusSkip) } - if v.rule.Validation.Pattern != nil || v.rule.Validation.AnyPattern != nil { + if v.pattern != nil || v.anyPattern != nil { if err = v.substitutePatterns(); err != nil { return ruleError(v.rule, "variable substitution failed", err) } @@ -197,7 +198,7 @@ func (v *validator) validate() *response.RuleResponse { ruleResponse := v.validateResourceWithRule() return ruleResponse - } else if v.rule.Validation.Deny != nil { + } else if v.deny != nil { ruleResponse := v.validateDeny() return ruleResponse } @@ -235,27 +236,46 @@ func (v *validator) validateForEach() *response.RuleResponse { for _, e := range elements { v.ctx.JSONContext.Reset() - elementData := make(map[string]interface{}) - elementData["element"] = e - jsonData, err := json.Marshal(elementData) - if err != nil { - return ruleError(v.rule, fmt.Sprintf("failed to marshall element %v", e), err) + ctx := v.ctx.Copy() + if err := addElementToContext(ctx, e); err != nil { + v.log.Error(err, "failed to add element to context") + return ruleError(v.rule, "failed to process foreach", err) } - if err := v.ctx.JSONContext.AddJSON(jsonData); err != nil { - return ruleError(v.rule, fmt.Sprintf("failed add element (%s) to context", string(jsonData)), err) - } - - foreachValidator := newForeachValidator(v.log, v.ctx, v.rule) + foreachValidator := newForeachValidator(v.log, ctx, v.rule) r := foreachValidator.validate() - if r.Status != response.RuleStatusPass { + if r == nil { + v.log.Info("skipping rule due to empty result") + } else if r.Status == response.RuleStatusSkip { + v.log.Info("skipping rule as preconditions were not met") + + } else if r.Status != response.RuleStatusPass { + msg := fmt.Sprintf("validation failed in foreach rule for %v", e) + return ruleResponse(v.rule, msg, r.Status) } } return ruleResponse(v.rule, "", response.RuleStatusPass) } +func addElementToContext(ctx *PolicyContext, e interface{}) error { + data, err := common.ToMap(e) + if err != nil { + return err + } + + u := unstructured.Unstructured{} + u.SetUnstructuredContent(data) + ctx.NewResource = u + + if err := ctx.JSONContext.AddResourceAsObject(e); err != nil { + return errors.Wrapf(err, "failed to add resource (%v) to JSON context", e) + } + + return nil +} + func (v *validator) evaluateList(jmesPath string) ([]interface{}, error) { i, err := v.ctx.JSONContext.Query(jmesPath) if err != nil { @@ -302,9 +322,9 @@ func (v *validator) checkPreconditions() (bool, error) { func (v *validator) validateDeny() *response.RuleResponse { anyAllCond := v.deny.AnyAllConditions - anyAllCond, err := variables.SubstituteAllInPreconditions(v.log, v.ctx.JSONContext, anyAllCond) + anyAllCond, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, anyAllCond) if err != nil { - return ruleError(v.rule, "failed to substitute variables in preconditions", err) + return ruleError(v.rule, "failed to substitute variables in deny conditions", err) } if err = v.substituteDeny(); err != nil { @@ -557,7 +577,7 @@ func (v *validator) substituteDeny() error { } func ruleError(rule *kyverno.Rule, msg string, err error) *response.RuleResponse { - msg = fmt.Sprintf("%s for rule %s: %s", msg, rule.Name, err.Error()) + msg = fmt.Sprintf("%s: %s", msg, err.Error()) return ruleResponse(rule, msg, response.RuleStatusError) } diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 9395052b08..54e7c667ad 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -1479,7 +1479,7 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) { er := Validate(policyContext) assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusError) assert.Equal(t, er.PolicyResponse.Rules[0].Message, - "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path") + "variable substitution failed: Unknown key \"name1\" in path") } func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSubstitutionFails(t *testing.T) { @@ -1570,7 +1570,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSu NewResource: *resourceUnstructured} er := Validate(policyContext) assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusError) - assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path") + assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed: Unknown key \"name1\" in path") } func Test_VariableSubstitution_NotOperatorWithStringVariable(t *testing.T) { @@ -1720,7 +1720,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test NewResource: *resourceUnstructured} er := Validate(policyContext) assert.Equal(t, er.PolicyResponse.Rules[0].Status, response.RuleStatusError) - assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path") + assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed: Unknown key \"name1\" in path") } func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatternSatisfy(t *testing.T) { @@ -1932,8 +1932,8 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path not present resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team"},"prune":true,"validation":"client"}}`), - expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusFail}, - expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "spec.sourceRef.namespace must be the same as metadata.namespace"}, + expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusError}, + expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "failed to substitute variables in deny conditions: Unknown key \"namespace\" in path"}, }, { name: "resource-with-violation", @@ -1970,7 +1970,7 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { er := Validate(policyContext) for i, rule := range er.PolicyResponse.Rules { - assert.Equal(t, er.PolicyResponse.Rules[i].Status, test.expectedResults[i]) + assert.Equal(t, er.PolicyResponse.Rules[i].Status, test.expectedResults[i], "\ntest %s failed\nexpected: %s\nactual: %s", test.name, test.expectedResults[i].String(), er.PolicyResponse.Rules[i].Status.String()) assert.Equal(t, er.PolicyResponse.Rules[i].Message, test.expectedMessages[i], "\ntest %s failed\nexpected: %s\nactual: %s", test.name, test.expectedMessages[i], rule.Message) } } @@ -2418,3 +2418,335 @@ func Test_StringInDenyCondition(t *testing.T) { er := Validate(&PolicyContext{Policy: policy, NewResource: *resourceUnstructured, JSONContext: ctx}) assert.Assert(t, er.IsSuccessful()) } + +func Test_foreach_container_pass(t *testing.T) { + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-valid", "image": "nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test-path-not-exist", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "pattern": { + "name": "*-valid" + } + } + }}]}}`) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusPass) +} + +func Test_foreach_container_fail(t *testing.T) { + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-invalid", "image": "nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "pattern": { + "name": "*-valid" + } + } + }}]}}`) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusFail) +} + +func Test_foreach_container_deny_fail(t *testing.T) { + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-invalid", "image": "docker.io/nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "deny": { + "conditions": [ + {"key": "{{ regex_match('{{request.object.image}}', 'docker.io') }}", "operator": "Equals", "value": false} + ] + } + } + }}]}}`) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusFail) +} + +func Test_foreach_container_deny_success(t *testing.T) { + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-invalid", "image": "nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "deny": { + "conditions": [ + {"key": "{{ regex_match('{{request.object.image}}', 'docker.io') }}", "operator": "Equals", "value": false} + ] + } + } + }}]}}`) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusFail) +} + +func Test_foreach_container_deny_error(t *testing.T) { + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-invalid", "image": "nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "deny": { + "conditions": [ + {"key": "{{ regex_match_INVALID('{{request.object.image}}', 'docker.io') }}", "operator": "Equals", "value": false} + ] + } + } + }}]}}`) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusError) +} + +func Test_foreach_context_preconditions(t *testing.T) { + + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-valid", "image": "nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"}, + {"name": "pod4-valid", "image": "nginx/nginx:v4"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "context": [{"name": "tags", "configMap": {"name": "mycmap", "namespace": "default"}}], + "preconditions": { "all": [ + { + "key": "{{request.object.name}}", + "operator": "Equals", + "value": "pod1-valid | pod2-valid | pod3-valid" + } + ]}, + "deny": { + "conditions": [ + {"key": "images.{{ request.object.name }}.tag", "operator": "NotEquals", "value": "{{ tags.data.{{ request.object.name }} }}"} + ] + } + } + }}]}}`) + + configMapVariableContext := store.Context{ + Policies: []store.Policy{ + { + Name: "test", + Rules: []store.Rule{ + { + Name: "test", + Values: map[string]string{ + "tags.data.pod1-valid": "v1", + "tags.data.pod2-valid": "v2", + "tags.data.pod3-valid": "v3", + }, + }, + }, + }, + }, + } + + store.SetContext(configMapVariableContext) + store.SetMock(true) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusPass) +} + +func Test_foreach_context_preconditions_fail(t *testing.T) { + + resourceRaw := []byte(`{ + "apiVersion": "v1", + "kind": "Deployment", + "metadata": {"name": "test"}, + "spec": { "template": { "spec": { + "containers": [ + {"name": "pod1-valid", "image": "nginx/nginx:v1"}, + {"name": "pod2-valid", "image": "nginx/nginx:v2"}, + {"name": "pod3-valid", "image": "nginx/nginx:v3"}, + {"name": "pod4-valid", "image": "nginx/nginx:v4"} + ] + }}}}`) + + policyraw := []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": {"name": "test"}, + "spec": { + "rules": [ + { + "name": "test", + "match": {"resources": { "kinds": [ "Deployment" ] } }, + "validate": { + "foreach": { + "list": "request.object.spec.template.spec.containers", + "context": [{"name": "tags", "configMap": {"name": "mycmap", "namespace": "default"}}], + "preconditions": { "all": [ + { + "key": "{{request.object.name}}", + "operator": "Equals", + "value": "pod1-valid | pod2-valid | pod3-valid" + } + ]}, + "deny": { + "conditions": [ + {"key": "images.{{ request.object.name }}.tag", "operator": "NotEquals", "value": "{{ tags.data.{{ request.object.name }} }}"} + ] + } + } + }}]}}`) + + configMapVariableContext := store.Context{ + Policies: []store.Policy{ + { + Name: "test", + Rules: []store.Rule{ + { + Name: "test", + Values: map[string]string{ + "tags.data.pod1-valid": "v1", + "tags.data.pod2-valid": "v22", + "tags.data.pod3-valid": "v3", + }, + }, + }, + }, + }, + } + + store.SetContext(configMapVariableContext) + store.SetMock(true) + + testForEach(t, policyraw, resourceRaw, "", response.RuleStatusFail) +} + +func testForEach(t *testing.T, policyraw []byte, resourceRaw []byte, msg string, status response.RuleStatus) { + var policy kyverno.ClusterPolicy + assert.NilError(t, json.Unmarshal(policyraw, &policy)) + resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw) + assert.NilError(t, err) + + ctx := context.NewContext() + err = ctx.AddResource(resourceRaw) + assert.NilError(t, err) + + policyContext := &PolicyContext{ + Policy: policy, + JSONContext: ctx, + NewResource: *resourceUnstructured} + er := Validate(policyContext) + + assert.Equal(t, er.PolicyResponse.Rules[0].Status, status) + if msg != "" { + assert.Equal(t, er.PolicyResponse.Rules[0].Message, msg) + } +} diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index ec3e21d699..dece35cdb3 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -108,7 +108,7 @@ func UntypedToRule(untyped interface{}) (kyverno.Rule, error) { func substituteAll(log logr.Logger, ctx context.EvalInterface, document interface{}, resolver VariableResolver) (_ interface{}, err error) { document, err = substituteReferences(log, document) if err != nil { - return kyverno.Rule{}, err + return document, err } return substituteVars(log, ctx, document, resolver) From 3957a1400e424d37e5ed1975b803b572d02cbff7 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 27 Sep 2021 23:40:05 -0700 Subject: [PATCH 13/50] fix deny check and fmt Signed-off-by: Jim Bugwadia --- .../kyverno/v1alpha1/zz_generated.deepcopy.go | 1 + .../v1alpha1/zz_generated.deepcopy.go | 1 + pkg/engine/common/utils.go | 2 +- pkg/engine/context/context.go | 18 ++--- pkg/engine/generation.go | 8 +- pkg/engine/mutate/strategicPreprocessing.go | 4 +- pkg/engine/mutation.go | 2 +- pkg/engine/policyContext.go | 20 ++--- pkg/engine/response/response.go | 4 +- pkg/engine/response/response_test.go | 2 +- pkg/engine/response/status.go | 31 ++++---- pkg/engine/validate/common.go | 1 - pkg/engine/validate/validate.go | 2 +- pkg/engine/validate/validate_test.go | 11 ++- pkg/engine/validation.go | 78 +++++++++++-------- pkg/engine/validation_test.go | 50 ++++++------ pkg/engine/variables/vars.go | 4 +- pkg/testrunner/scenario_test.go | 1 - 18 files changed, 128 insertions(+), 112 deletions(-) diff --git a/pkg/api/kyverno/v1alpha1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1alpha1/zz_generated.deepcopy.go index c9ffcd64d3..9effd366a1 100644 --- a/pkg/api/kyverno/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/api/kyverno/v1alpha1/zz_generated.deepcopy.go @@ -1,3 +1,4 @@ +//go:build !ignore_autogenerated // +build !ignore_autogenerated /* diff --git a/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go b/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go index 683557bf02..c189f46034 100644 --- a/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go @@ -1,3 +1,4 @@ +//go:build !ignore_autogenerated // +build !ignore_autogenerated /* diff --git a/pkg/engine/common/utils.go b/pkg/engine/common/utils.go index 3e8f98b774..5d0147ef3f 100644 --- a/pkg/engine/common/utils.go +++ b/pkg/engine/common/utils.go @@ -37,4 +37,4 @@ func ToMap(data interface{}) (map[string]interface{}, error) { } return mapData, nil -} \ No newline at end of file +} diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go index 408dc15ed8..2389e0c26d 100644 --- a/pkg/engine/context/context.go +++ b/pkg/engine/context/context.go @@ -53,21 +53,21 @@ type EvalInterface interface { //Context stores the data resources as JSON type Context struct { - mutex sync.RWMutex - jsonRaw []byte + mutex sync.RWMutex + jsonRaw []byte jsonRawCheckpoints [][]byte - builtInVars []string - images *Images - log logr.Logger + builtInVars []string + images *Images + log logr.Logger } //NewContext returns a new context // builtInVars is the list of known variables (e.g. serviceAccountName) func NewContext(builtInVars ...string) *Context { ctx := Context{ - jsonRaw: []byte(`{}`), // empty json struct - builtInVars: builtInVars, - log: log.Log.WithName("context"), + jsonRaw: []byte(`{}`), // empty json struct + builtInVars: builtInVars, + log: log.Log.WithName("context"), jsonRawCheckpoints: make([][]byte, 0), } @@ -334,7 +334,7 @@ func (ctx *Context) reset(remove bool) { ctx.mutex.Lock() defer ctx.mutex.Unlock() - if len(ctx.jsonRawCheckpoints) == 0 { + if len(ctx.jsonRawCheckpoints) == 0 { return } diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 8df53e34a2..1ef5dbc6cb 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -80,8 +80,8 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR // if the oldResource matched, return "false" to delete GR for it if err = MatchesResourceDescription(oldResource, rule, admissionInfo, excludeGroupRole, namespaceLabels); err == nil { return &response.RuleResponse{ - Name: rule.Name, - Type: "Generation", + Name: rule.Name, + Type: "Generation", Status: response.RuleStatusFail, RuleStats: response.RuleStats{ ProcessingTime: time.Since(startTime), @@ -123,8 +123,8 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR // build rule Response return &response.RuleResponse{ - Name: ruleCopy.Name, - Type: "Generation", + Name: ruleCopy.Name, + Type: "Generation", Status: response.RuleStatusPass, RuleStats: response.RuleStats{ ProcessingTime: time.Since(startTime), diff --git a/pkg/engine/mutate/strategicPreprocessing.go b/pkg/engine/mutate/strategicPreprocessing.go index 6bb9c9ec00..4e78a6b5c3 100644 --- a/pkg/engine/mutate/strategicPreprocessing.go +++ b/pkg/engine/mutate/strategicPreprocessing.go @@ -325,7 +325,7 @@ func convertRNodeToInterface(document *yaml.RNode) (interface{}, error) { } func checkCondition(logger logr.Logger, pattern *yaml.RNode, resource *yaml.RNode) error { - patternInterface, err := convertRNodeToInterface(pattern); + patternInterface, err := convertRNodeToInterface(pattern) if err != nil { return err } @@ -336,7 +336,7 @@ func checkCondition(logger logr.Logger, pattern *yaml.RNode, resource *yaml.RNod } err, _ = validate.MatchPattern(logger, resourceInterface, patternInterface) - if err != nil{ + if err != nil { return err } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index f453e9173e..fe178a623e 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -118,7 +118,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { Name: ruleCopy.Name, Type: utils.Validation.String(), Message: fmt.Sprintf("variable substitution failed: %s", err.Error()), - Status: response.RuleStatusPass, + Status: response.RuleStatusPass, } incrementAppliedCount(resp) diff --git a/pkg/engine/policyContext.go b/pkg/engine/policyContext.go index 1d55ef0b0e..dd23dad881 100644 --- a/pkg/engine/policyContext.go +++ b/pkg/engine/policyContext.go @@ -43,15 +43,15 @@ type PolicyContext struct { func (pc *PolicyContext) Copy() *PolicyContext { return &PolicyContext{ - Policy: pc.Policy, - NewResource: pc.NewResource, - OldResource: pc.OldResource, - AdmissionInfo: pc.AdmissionInfo, - Client: pc.Client, - ExcludeGroupRole: pc.ExcludeGroupRole, + Policy: pc.Policy, + NewResource: pc.NewResource, + OldResource: pc.OldResource, + AdmissionInfo: pc.AdmissionInfo, + Client: pc.Client, + ExcludeGroupRole: pc.ExcludeGroupRole, ExcludeResourceFunc: pc.ExcludeResourceFunc, - ResourceCache: pc.ResourceCache, - JSONContext: pc.JSONContext, - NamespaceLabels: pc.NamespaceLabels, + ResourceCache: pc.ResourceCache, + JSONContext: pc.JSONContext, + NamespaceLabels: pc.NamespaceLabels, } -} \ No newline at end of file +} diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index 8a640e0291..28e6cdfc08 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -87,7 +87,7 @@ type RuleResponse struct { Status RuleStatus `json:"status"` // statistics - RuleStats `json:",inline"` + RuleStats `json:",inline"` } //ToString ... @@ -161,7 +161,7 @@ func (er EngineResponse) GetResourceSpec() ResourceSpec { func (er EngineResponse) getRules(status RuleStatus) []string { var rules []string for _, r := range er.PolicyResponse.Rules { - if r.Status == status { + if r.Status == status { rules = append(rules, r.Name) } } diff --git a/pkg/engine/response/response_test.go b/pkg/engine/response/response_test.go index 09687a4087..caf15d8876 100644 --- a/pkg/engine/response/response_test.go +++ b/pkg/engine/response/response_test.go @@ -27,4 +27,4 @@ func Test_parse_yaml(t *testing.T) { } assert.Equal(t, 1, len(pr.Rules)) assert.Equal(t, RuleStatusFail, pr.Rules[0].Status) -} \ No newline at end of file +} diff --git a/pkg/engine/response/status.go b/pkg/engine/response/status.go index 627597d568..a35f9623f8 100644 --- a/pkg/engine/response/status.go +++ b/pkg/engine/response/status.go @@ -9,16 +9,21 @@ import ( // RuleStatus represents the status of rule execution type RuleStatus int +// RuleStatusPass is used to report the result of processing a rule. const ( - // RuleStatusPass indicates that the policy rule requirements are met + // RuleStatusPass indicates that the resources meets the policy rule requirements RuleStatusPass RuleStatus = iota - // Fail indicates that the policy rule requirements are not met + // Fail indicates that the resource does not meet the policy rule requirements RuleStatusFail - // Warn indicates that the policy rule requirements are not met, and the policy is not scored + // Warn indicates that the the resource does not meet the policy rule requirements, but the policy is not scored RuleStatusWarn - // Error indicates that the policy rule could not be evaluated due to a processing error + // Error indicates that the policy rule could not be evaluated due to a processing error, for + // example when a variable cannot be resolved in the policy rule definition. Note that variables + // that cannot be resolved in preconditions are replaced with empty values to allow existence + // checks. RuleStatusError - // Skip indicates that the policy rule was not selected based on user inputs or applicability + // Skip indicates that the policy rule was not selected based on user inputs or applicability, for example + // when preconditions are not met, or when conditional or global anchors are not satistied. RuleStatusSkip ) @@ -28,18 +33,18 @@ func (s *RuleStatus) String() string { var toString = map[RuleStatus]string{ RuleStatusPass: "Pass", - RuleStatusFail: "Fail", - RuleStatusWarn: "Warning", + RuleStatusFail: "Fail", + RuleStatusWarn: "Warning", RuleStatusError: "Error", - RuleStatusSkip: "Skip", + RuleStatusSkip: "Skip", } var toID = map[string]RuleStatus{ - "Pass": RuleStatusPass, - "Fail": RuleStatusFail, + "Pass": RuleStatusPass, + "Fail": RuleStatusFail, "Warning": RuleStatusWarn, - "Error": RuleStatusError, - "Skip": RuleStatusSkip, + "Error": RuleStatusError, + "Skip": RuleStatusSkip, } // MarshalJSON marshals the enum as a quoted json string @@ -66,7 +71,7 @@ func (s *RuleStatus) UnmarshalJSON(b []byte) error { return nil } -func getRuleStatus(s string) (*RuleStatus, error){ +func getRuleStatus(s string) (*RuleStatus, error) { for k, v := range toID { if s == k { return &v, nil diff --git a/pkg/engine/validate/common.go b/pkg/engine/validate/common.go index 9ec9910d2f..3009fc3fb7 100644 --- a/pkg/engine/validate/common.go +++ b/pkg/engine/validate/common.go @@ -40,4 +40,3 @@ func getRawKeyIfWrappedWithAttributes(str string) string { return str } } - diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index fb19489e18..7750e6118e 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -49,7 +49,7 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement)) return path, fmt.Errorf("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement) } - // CheckAnchorInResource - check anchor anchor key exists in resource and update the AnchorKey fields. + // CheckAnchorInResource - check anchor key exists in resource and update the AnchorKey fields. ac.CheckAnchorInResource(typedPatternElement, typedResourceElement) return validateMap(log, typedResourceElement, typedPatternElement, originPattern, path, ac) // array diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 0fd3b5e35b..292f954c92 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1516,7 +1516,7 @@ func Test_global_anchor(t *testing.T) { pattern []byte resource []byte nilErr bool - } { + }{ { name: "check global anchor_skip", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), @@ -1535,7 +1535,12 @@ func Test_global_anchor(t *testing.T) { testMatchPattern(t, testCases[1]) } -func testMatchPattern(t *testing.T, testCase struct {name string;pattern []byte;resource []byte;nilErr bool}) { +func testMatchPattern(t *testing.T, testCase struct { + name string + pattern []byte + resource []byte + nilErr bool +}) { var pattern, resource interface{} err := json.Unmarshal(testCase.pattern, &pattern) assert.NilError(t, err) @@ -1550,4 +1555,4 @@ func testMatchPattern(t *testing.T, testCase struct {name string;pattern []byte; err != nil, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\nmsg: %v", testCase.name, pattern, resource, err)) } -} \ No newline at end of file +} diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 0e1865c26d..9c5fcaef8f 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -116,12 +116,11 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo } func processValidationRule(log logr.Logger, ctx *PolicyContext, rule *kyverno.Rule) *response.RuleResponse { + v := newValidator(log, ctx, rule) if rule.Validation.ForEachValidation != nil { - v := newValidator(log, ctx, rule) return v.validateForEach() } - v := newValidator(log, ctx, rule) return v.validate() } @@ -140,41 +139,48 @@ func addRuleResponse(log logr.Logger, resp *response.EngineResponse, ruleResp *r } type validator struct { - log logr.Logger - ctx *PolicyContext - rule *kyverno.Rule - contextEntries []kyverno.ContextEntry + log logr.Logger + ctx *PolicyContext + rule *kyverno.Rule + contextEntries []kyverno.ContextEntry anyAllConditions apiextensions.JSON - pattern apiextensions.JSON - anyPattern apiextensions.JSON - deny *kyverno.Deny + pattern apiextensions.JSON + anyPattern apiextensions.JSON + deny *kyverno.Deny } func newValidator(log logr.Logger, ctx *PolicyContext, rule *kyverno.Rule) *validator { ruleCopy := rule.DeepCopy() return &validator{ - log: log, - rule: ruleCopy, - ctx: ctx, - contextEntries: ruleCopy.Context, + log: log, + rule: ruleCopy, + ctx: ctx, + contextEntries: ruleCopy.Context, anyAllConditions: ruleCopy.AnyAllConditions, - pattern: ruleCopy.Validation.Pattern, - anyPattern: ruleCopy.Validation.AnyPattern, - deny: ruleCopy.Validation.Deny, + pattern: ruleCopy.Validation.Pattern, + anyPattern: ruleCopy.Validation.AnyPattern, + deny: ruleCopy.Validation.Deny, } } func newForeachValidator(log logr.Logger, ctx *PolicyContext, rule *kyverno.Rule) *validator { ruleCopy := rule.DeepCopy() + + // Variable substitution expects JSON data, so we convert to a map + anyAllConditions, err := common.ToMap(ruleCopy.Validation.ForEachValidation.AnyAllConditions) + if err != nil { + log.Error(err, "failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions") + } + return &validator{ - log: log, - ctx: ctx, - rule: ruleCopy, - contextEntries: ruleCopy.Validation.ForEachValidation.Context, - anyAllConditions: ruleCopy.Validation.ForEachValidation.AnyAllConditions, - pattern: ruleCopy.Validation.ForEachValidation.Pattern, - anyPattern: ruleCopy.Validation.ForEachValidation.AnyPattern, - deny: ruleCopy.Validation.ForEachValidation.Deny, + log: log, + ctx: ctx, + rule: ruleCopy, + contextEntries: ruleCopy.Validation.ForEachValidation.Context, + anyAllConditions: anyAllConditions, + pattern: ruleCopy.Validation.ForEachValidation.Pattern, + anyPattern: ruleCopy.Validation.ForEachValidation.AnyPattern, + deny: ruleCopy.Validation.ForEachValidation.Deny, } } @@ -233,6 +239,7 @@ func (v *validator) validateForEach() *response.RuleResponse { v.ctx.JSONContext.Checkpoint() defer v.ctx.JSONContext.Restore() + applyCount := 0 for _, e := range elements { v.ctx.JSONContext.Reset() @@ -246,14 +253,20 @@ func (v *validator) validateForEach() *response.RuleResponse { r := foreachValidator.validate() if r == nil { v.log.Info("skipping rule due to empty result") - + continue } else if r.Status == response.RuleStatusSkip { v.log.Info("skipping rule as preconditions were not met") - + continue } else if r.Status != response.RuleStatusPass { - msg := fmt.Sprintf("validation failed in foreach rule for %v", e) + msg := fmt.Sprintf("validation failed in foreach rule for %v", r.Message) return ruleResponse(v.rule, msg, r.Status) } + + applyCount++ + } + + if applyCount == 0 { + return ruleResponse(v.rule, "", response.RuleStatusSkip) } return ruleResponse(v.rule, "", response.RuleStatusPass) @@ -290,7 +303,6 @@ func (v *validator) evaluateList(jmesPath string) ([]interface{}, error) { return l, nil } - func (v *validator) loadContext() error { if err := LoadContext(v.log, v.contextEntries, v.ctx.ResourceCache, v.ctx, v.rule.Name); err != nil { if _, ok := err.(gojmespath.NotFoundError); ok { @@ -481,7 +493,7 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *respon return ruleResponse(v.rule, v.rule.Validation.Message, response.RuleStatusPass) } -func deserializeAnyPattern(anyPattern apiextensions.JSON ) ([]interface{}, error) { +func deserializeAnyPattern(anyPattern apiextensions.JSON) ([]interface{}, error) { if anyPattern == nil { return nil, nil } @@ -538,7 +550,7 @@ func buildAnyPatternErrorMessage(rule *kyverno.Rule, errors []string) string { return fmt.Sprintf("validation error: %s. %s", rule.Validation.Message, errStr) } -func (v *validator) substitutePatterns() error { +func (v *validator) substitutePatterns() error { if v.pattern != nil { i, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.pattern) if err != nil { @@ -562,7 +574,7 @@ func (v *validator) substitutePatterns() error { return nil } -func (v *validator) substituteDeny() error { +func (v *validator) substituteDeny() error { if v.deny == nil { return nil } @@ -586,6 +598,6 @@ func ruleResponse(rule *kyverno.Rule, msg string, status response.RuleStatus) *r Name: rule.Name, Type: utils.Validation.String(), Message: msg, - Status: status, + Status: status, } -} \ No newline at end of file +} diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 54e7c667ad..259d3c1666 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -1921,9 +1921,9 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing. func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { tests := []struct { - name string - policyRaw []byte - resourceRaw []byte + name string + policyRaw []byte + resourceRaw []byte expectedResults []response.RuleStatus expectedMessages []string }{ @@ -1931,7 +1931,7 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { name: "path-not-present", policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path not present - resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team"},"prune":true,"validation":"client"}}`), + resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team"},"prune":true,"validation":"client"}}`), expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusError}, expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "failed to substitute variables in deny conditions: Unknown key \"namespace\" in path"}, }, @@ -1939,7 +1939,7 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { name: "resource-with-violation", policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace {{request.object.spec.sourceRef.namespace}} must be the same as metadata.namespace {{request.object.metadata.namespace}}","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path present with different value - resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"default"},"prune":true,"validation":"client"}}`), + resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"default"},"prune":true,"validation":"client"}}`), expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusFail}, expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "spec.sourceRef.namespace default must be the same as metadata.namespace apps"}, }, @@ -1947,7 +1947,7 @@ func Test_Flux_Kustomization_PathNotPresent(t *testing.T) { name: "resource-comply", policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`), // referred variable path present with same value - validate passes - resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"apps"},"prune":true,"validation":"client"}}`), + resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"apps"},"prune":true,"validation":"client"}}`), expectedResults: []response.RuleStatus{response.RuleStatusPass, response.RuleStatusPass}, expectedMessages: []string{"validation rule 'serviceAccountName' passed.", "validation rule 'sourceRefNamespace' passed."}, }, @@ -2603,10 +2603,8 @@ func Test_foreach_context_preconditions(t *testing.T) { "metadata": {"name": "test"}, "spec": { "template": { "spec": { "containers": [ - {"name": "pod1-valid", "image": "nginx/nginx:v1"}, - {"name": "pod2-valid", "image": "nginx/nginx:v2"}, - {"name": "pod3-valid", "image": "nginx/nginx:v3"}, - {"name": "pod4-valid", "image": "nginx/nginx:v4"} + {"name": "podvalid", "image": "nginx/nginx:v1"}, + {"name": "podinvalid", "image": "nginx/nginx:v2"} ] }}}}`) @@ -2622,17 +2620,17 @@ func Test_foreach_context_preconditions(t *testing.T) { "validate": { "foreach": { "list": "request.object.spec.template.spec.containers", - "context": [{"name": "tags", "configMap": {"name": "mycmap", "namespace": "default"}}], + "context": [{"name": "img", "configMap": {"name": "mycmap", "namespace": "default"}}], "preconditions": { "all": [ { "key": "{{request.object.name}}", - "operator": "Equals", - "value": "pod1-valid | pod2-valid | pod3-valid" + "operator": "In", + "value": ["podvalid"] } ]}, "deny": { "conditions": [ - {"key": "images.{{ request.object.name }}.tag", "operator": "NotEquals", "value": "{{ tags.data.{{ request.object.name }} }}"} + {"key": "{{ request.object.image }}", "operator": "NotEquals", "value": "{{ img.data.{{ request.object.name }} }}"} ] } } @@ -2646,9 +2644,8 @@ func Test_foreach_context_preconditions(t *testing.T) { { Name: "test", Values: map[string]string{ - "tags.data.pod1-valid": "v1", - "tags.data.pod2-valid": "v2", - "tags.data.pod3-valid": "v3", + "img.data.podvalid": "nginx/nginx:v1", + "img.data.podinvalid": "nginx/nginx:v2", }, }, }, @@ -2670,10 +2667,8 @@ func Test_foreach_context_preconditions_fail(t *testing.T) { "metadata": {"name": "test"}, "spec": { "template": { "spec": { "containers": [ - {"name": "pod1-valid", "image": "nginx/nginx:v1"}, - {"name": "pod2-valid", "image": "nginx/nginx:v2"}, - {"name": "pod3-valid", "image": "nginx/nginx:v3"}, - {"name": "pod4-valid", "image": "nginx/nginx:v4"} + {"name": "podvalid", "image": "nginx/nginx:v1"}, + {"name": "podinvalid", "image": "nginx/nginx:v2"} ] }}}}`) @@ -2689,17 +2684,17 @@ func Test_foreach_context_preconditions_fail(t *testing.T) { "validate": { "foreach": { "list": "request.object.spec.template.spec.containers", - "context": [{"name": "tags", "configMap": {"name": "mycmap", "namespace": "default"}}], + "context": [{"name": "img", "configMap": {"name": "mycmap", "namespace": "default"}}], "preconditions": { "all": [ { "key": "{{request.object.name}}", - "operator": "Equals", - "value": "pod1-valid | pod2-valid | pod3-valid" + "operator": "In", + "value": ["podvalid", "podinvalid"] } ]}, "deny": { "conditions": [ - {"key": "images.{{ request.object.name }}.tag", "operator": "NotEquals", "value": "{{ tags.data.{{ request.object.name }} }}"} + {"key": "{{ request.object.image }}", "operator": "NotEquals", "value": "{{ img.data.{{ request.object.name }} }}"} ] } } @@ -2713,9 +2708,8 @@ func Test_foreach_context_preconditions_fail(t *testing.T) { { Name: "test", Values: map[string]string{ - "tags.data.pod1-valid": "v1", - "tags.data.pod2-valid": "v22", - "tags.data.pod3-valid": "v3", + "img.data.podvalid": "nginx/nginx:v1", + "img.data.podinvalid": "nginx/nginx:v1", }, }, }, diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index dece35cdb3..8a7bebe020 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -52,6 +52,8 @@ func newPreconditionsVariableResolver(log logr.Logger) VariableResolver { } } +// SubstituteAll substitutes variables and references in the document. The document must be JSON data +// i.e. string, []interface{}, map[string]interface{} func SubstituteAll(log logr.Logger, ctx context.EvalInterface, document interface{}) (_ interface{}, err error) { return substituteAll(log, ctx, document, DefaultVariableResolver) } @@ -139,8 +141,6 @@ func SubstituteAllForceMutate(log logr.Logger, ctx context.EvalInterface, typedR return UntypedToRule(rule) } -//SubstituteVars replaces the variables with the values defined in the context -// - if any variable is invalid or has nil value, it is considered as a failed variable substitution func substituteVars(log logr.Logger, ctx context.EvalInterface, rule interface{}, vr VariableResolver) (interface{}, error) { return jsonUtils.NewTraversal(rule, substituteVariablesIfAny(log, ctx, vr)).TraverseJSON() } diff --git a/pkg/testrunner/scenario_test.go b/pkg/testrunner/scenario_test.go index 001d4d4ae1..ee2f420e92 100644 --- a/pkg/testrunner/scenario_test.go +++ b/pkg/testrunner/scenario_test.go @@ -51,7 +51,6 @@ func Test_parse_file(t *testing.T) { assert.Equal(t, response.RuleStatusFail, s.TestCases[0].Expected.Validation.PolicyResponse.Rules[0].Status, "invalid status") } - func Test_parse_file2(t *testing.T) { path := getRelativePath("test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml") data, err := ioutil.ReadFile(path) From 5273a7fa7bee6221345d9cb19d6e9521c67c4c7f Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Tue, 28 Sep 2021 19:06:16 +0530 Subject: [PATCH 14/50] Fix skipped policy message is displayed even if variable is passed (#2446) --- pkg/kyverno/test/test_command.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 251cb8cc92..3518745e76 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -334,7 +334,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s } fmt.Printf("\nExecuting %s...", values.Name) - + valuesFile = values.Variables variables, globalValMap, valuesMap, namespaceSelectorMap, err := common.GetVariable(variablesString, values.Variables, fs, isGit, policyResourcePath) if err != nil { if !sanitizederror.IsErrorSanitized(err) { @@ -384,9 +384,6 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s fmt.Printf("\napplying %s to %s... \n", msgPolicies, msgResources) } - if variablesString != "" { - variables = common.SetInStoreContext(mutatedPolicies, variables) - } for _, policy := range mutatedPolicies { err := policy2.Validate(policy, nil, true, openAPIController) if err != nil { From 83a815d7cf4761b38c56d6a620ae98bb57474176 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Tue, 28 Sep 2021 20:17:03 +0530 Subject: [PATCH 15/50] added test cases Signed-off-by: NoSkillGirl --- pkg/engine/validate/validate_test.go | 34 ++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index af673e7083..2161222b4c 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1536,39 +1536,63 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { { name: "test-28", pattern: []byte(`{"spec": {"containers": [{"name": "*", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo", "value": "bar" }],"imagePullPolicy": "IfNotpresent"}]}}`), + nilErr: true, + }, + { + name: "test-29", + pattern: []byte(`{"spec": {"containers": [{"name": "*", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), nilErr: false, }, { - name: "test-29", + name: "test-30", pattern: []byte(`{"metadata": {"<(name)": "nginx"},"spec": {"imagePullSecrets": [{"name": "regcred"}]}}`), resource: []byte(`{"metadata": {"name": "somename"},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}], "imagePullSecrets": [{"name": "cred"}]}}`), nilErr: true, }, { - name: "test-30", + name: "test-31", pattern: []byte(`{"metadata": {"<(name)": "nginx"},"spec": {"imagePullSecrets": [{"name": "regcred"}]}}`), resource: []byte(`{"metadata": {"name": "nginx"},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}], "imagePullSecrets": [{"name": "cred"}]}}`), nilErr: false, }, // { - // name: "test-31", + // name: "test-32", // pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), // resource: []byte(`{"metadata": {"name": "nginx1","labels": {"foo1": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}]}}`), // nilErr: true, // }, { - name: "test-32", + name: "test-33", pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), resource: []byte(`{"metadata": {"name": "nginx","labels": {"foo": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx"}]}}`), nilErr: true, }, { - name: "test-33", + name: "test-34", pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), resource: []byte(`{"metadata": {"name": "nginx","labels": {"foo": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}]}}`), nilErr: false, }, + { + name: "test-35", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx"}], "imagePullSecrets": [{"name": "cred"}]}}`), + nilErr: false, + }, + { + name: "test-36", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "somepod"}], "imagePullSecrets": [{"name": "cred"}]}}`), + nilErr: true, + }, + { + name: "test-37", + pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), + resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx"}], "imagePullSecrets": [{"name": "my-registry-secret"}]}}`), + nilErr: true, + }, } for _, testCase := range testCases { From 5b01dd53a74bf05527f38c5768cce7073ad003ee Mon Sep 17 00:00:00 2001 From: Shubham Palriwala Date: Wed, 29 Sep 2021 00:49:26 +0530 Subject: [PATCH 16/50] remove minio/minio and update minio/pkg (#2440) Signed-off-by: ShubhamPalriwala --- go.mod | 3 +- go.sum | 107 ++------------------------------------ pkg/engine/imageVerify.go | 5 +- 3 files changed, 7 insertions(+), 108 deletions(-) diff --git a/go.mod b/go.mod index 41cb770ffb..178561420d 100644 --- a/go.mod +++ b/go.mod @@ -23,8 +23,7 @@ require ( github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23 github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7 github.com/mattbaird/jsonpatch v0.0.0-20171005235357-81af80346b1a - github.com/minio/minio v0.0.0-20200114012931-30922148fbb5 - github.com/minio/pkg v1.0.7 + github.com/minio/pkg v1.1.3 github.com/nxadm/tail v1.4.8 // indirect github.com/onsi/ginkgo v1.15.0 github.com/onsi/gomega v1.11.0 diff --git a/go.sum b/go.sum index 471dea8748..b4681cced9 100644 --- a/go.sum +++ b/go.sum @@ -66,7 +66,6 @@ contrib.go.opencensus.io/integrations/ocsql v0.1.4/go.mod h1:8DsSdjz3F+APR+0z0Wk contrib.go.opencensus.io/integrations/ocsql v0.1.7/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= contrib.go.opencensus.io/resource v0.1.1/go.mod h1:F361eGI91LCmW1I/Saf+rX0+OFcigGlFvXwEGEnkRLA= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= github.com/Azure/azure-amqp-common-go/v2 v2.1.0/go.mod h1:R8rea+gJRuJR6QxTir/XuEd+YuKoUiazDC/N96FiDEU= github.com/Azure/azure-amqp-common-go/v3 v3.1.0/go.mod h1:PBIGdzcO1teYoufTKMcGibdKaYZv4avS+O6LNIp8bq0= github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= @@ -89,7 +88,6 @@ github.com/Azure/go-amqp v0.13.4/go.mod h1:wbpCKA8tR5MLgRyIu+bb+S6ECdIDdYJ0NlpFE github.com/Azure/go-amqp v0.13.7/go.mod h1:wbpCKA8tR5MLgRyIu+bb+S6ECdIDdYJ0NlpFE9xsBPI= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest v11.7.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v12.0.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= @@ -140,7 +138,6 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo= github.com/GoogleCloudPlatform/cloudsql-proxy v1.22.0/go.mod h1:mAm5O/zik2RFmcpigNjg6nMotDL8ZXJaxKzgGVcSMFA= @@ -189,7 +186,6 @@ github.com/ReneKroon/ttlcache/v2 v2.7.0 h1:sZeaSwA2UN/y/h7CvkW15Kovd2Oiy76CBDORi github.com/ReneKroon/ttlcache/v2 v2.7.0/go.mod h1:mBxvsNY+BT8qLLd6CuAJubbKo6r0jh3nb5et22bbfGY= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= -github.com/Shopify/sarama v1.24.1/go.mod h1:fGP8eQ6PugKEI0iUETYYtnP6d1pH/bdDMTel1X5ajsU= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/ThalesIgnite/crypto11 v1.2.4/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE= @@ -200,14 +196,12 @@ github.com/ahmetb/gen-crd-api-reference-docs v0.1.5/go.mod h1:P/XzJ+c2+khJKNKABc github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs= github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE= -github.com/alecthomas/participle v0.2.1/go.mod h1:SW6HZGeZgSIpcUWX3fXpfZhuaWHnmoD5KCVaqSaNTkk= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0= -github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= @@ -225,7 +219,6 @@ github.com/appscode/jsonpatch v0.0.0-20190108182946-7c0e3b262f30/go.mod h1:4AJxU github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= -github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg= github.com/armon/go-metrics v0.3.0/go.mod h1:zXjbSimjXTd7vOpY8B0/2LpvNvDoXBuplAD+gJD3GYs= github.com/armon/go-metrics v0.3.3/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= @@ -246,7 +239,6 @@ github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo github.com/aws/aws-sdk-go v1.19.18/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.19.45/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= -github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= @@ -262,10 +254,7 @@ github.com/aws/aws-sdk-go v1.40.7 h1:dD5+UZxedqHeE4WakJHEhTsEARYlq8kHkYEf89R1tEo github.com/aws/aws-sdk-go v1.40.7/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I= -github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= -github.com/bcicen/jstream v0.0.0-20190220045926-16c1f8af81c2/go.mod h1:RDu/qcrnpEdJC/p8tx34+YBFqqX71lB7dOX9QE+ZC4M= github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A= -github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= @@ -284,7 +273,6 @@ github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= -github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= @@ -312,7 +300,6 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw= -github.com/cheggaaa/pb v1.0.28/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= github.com/cheggaaa/pb v1.0.29/go.mod h1:W40334L7FMC5JKWldsTWbdGjLo0RxUKK73K+TuPxX30= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= @@ -423,12 +410,10 @@ github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRD github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc= github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4= github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY= -github.com/coredns/coredns v1.4.0/go.mod h1:zASH/MVDgR6XZTbxvOnsZfffS+31vg6Ackf/wo1+AM0= github.com/coreos/bbolt v1.3.1-coreos.6/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/bbolt v1.3.3/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= -github.com/coreos/etcd v3.3.12+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.15+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/etcd v3.3.17+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= @@ -488,7 +473,6 @@ github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQ github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/distribution/distribution v2.7.1+incompatible h1:aGFx4EvJWKEh//lHPLwFhFgwFHKH06TzNVPamrMn04M= github.com/distribution/distribution v2.7.1+incompatible/go.mod h1:EgLm2NgWtdKgzF9NpMzUKgzmR7AMmb0VQi2B+ZzDRjc= -github.com/djherbis/atime v1.0.0/go.mod h1:5W+KBIuTwVGcqjIfaTwt+KSYX1o6uep8dtevevQP/f8= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v20.10.7+incompatible h1:pv/3NqibQKphWZiAskMzdz8w0PRbtTaEB+f6NwdU7Is= @@ -518,12 +502,9 @@ github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:Htrtb github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= -github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= -github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4= github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= @@ -560,7 +541,6 @@ github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHqu github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4= github.com/franela/goreq v0.0.0-20171204163338-bcd34c9993f8/go.mod h1:ZhphrRTfi2rbfLwlschooIH4+wKKDR4Pdxhh+TRoA20= -github.com/frankban/quicktest v1.4.1/go.mod h1:36zfPVQyHxymz4cH7wlDmVwDrJuljRB60qkgn7rorfQ= github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -606,7 +586,6 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= -github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc= github.com/go-ldap/ldap/v3 v3.1.3/go.mod h1:3rbOH3jRS2u6jg2rJnKAMLE/xQyCKIveG2Sa/Cohzb8= github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= @@ -812,7 +791,6 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -837,7 +815,6 @@ github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEW github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= -github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= @@ -928,22 +905,18 @@ github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2c github.com/googleapis/gnostic v0.5.4 h1:ynbQIWjLw7iv6HAFdixb30U7Uvcmx+f4KlLJpmhkTK0= github.com/googleapis/gnostic v0.5.4/go.mod h1:TRWw1s4gxBGjSe301Dai3c7wXJAZy57+/6tawkOvqHQ= github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f h1:4Gslotqbs16iAg+1KR/XdabIfq8TlAWHdwS5QJFksLc= -github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU= github.com/goreleaser/goreleaser v0.134.0/go.mod h1:ZT6Y2rSYa6NxQzIsdfWWNWAlYGXGbreo66NmE+3X3WQ= github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhjYcR6G9w= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= -github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= -github.com/gorilla/rpc v1.2.0/go.mod h1:V4h9r+4sF5HnzqbwIez0fKSpANP0zlYd3qR7p36jkTQ= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= @@ -976,8 +949,6 @@ github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtng github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= -github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= -github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= @@ -986,14 +957,12 @@ github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh github.com/hashicorp/go-immutable-radix v1.1.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= -github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= -github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.2/go.mod h1:gEx6HMUGxYYhJScX7W1Il64m6cc2C1mDaW3NQ9sY1FY= github.com/hashicorp/go-retryablehttp v0.6.4/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= @@ -1020,20 +989,15 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= -github.com/hashicorp/raft v1.1.1-0.20190703171940-f639636d18e0/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8= -github.com/hashicorp/raft-boltdb v0.0.0-20171010151810-6e5ba93211ea/go.mod h1:pNv7Wc3ycL6F5oOWn+tPGo2gWD4a5X+yp/ntwdKLjRk= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q= github.com/hashicorp/vault/api v1.0.5-0.20200519221902-385fac77e20f/go.mod h1:euTFbi2YJgwcju3imEt919lhJKF68nN1cQPq3aA+kBE= github.com/hashicorp/vault/api v1.1.0/go.mod h1:R3Umvhlxi2TN7Ex2hzOowyeNb+SfbVWI973N+ctaFMk= github.com/hashicorp/vault/api v1.1.1/go.mod h1:29UXcn/1cLOPHQNMWA7bCz2By4PSd0VKPAydKXS5yN0= -github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= github.com/hashicorp/vault/sdk v0.1.14-0.20200519221530-14615acda45f/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.2.0/go.mod h1:cAGI4nVnEfAyMeqt9oB+Mase8DNn3qA/LDNHURiwssY= github.com/hashicorp/vault/sdk v0.2.1/go.mod h1:WfUiO1vYzfBkz1TmoE4ZGU7HD0T0Cl/rZwaxjBkgN4U= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= -github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/huandu/xstrings v1.0.0/go.mod h1:4qWG/gcEcfX4z/mBDHJ++3ReCw9ibxbsNJbcucJdbSo= @@ -1051,7 +1015,6 @@ github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9 h1:j7klXz5kh0ydPmHkBtJ/Al27G1/au4sH7OkGhkgRJWg= github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA= -github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= @@ -1059,7 +1022,6 @@ github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6t github.com/jarcoal/httpmock v1.0.5/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= -github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 h1:zqyV5j9xEuPQw2ma4RzzS9O74UwTq3vcMmpoHyL6xlI= github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431/go.mod h1:3VIJLjlf5Iako82IX/5KOoCzDmogK5mO+bl+DRItnR8= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= @@ -1102,10 +1064,7 @@ github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvW github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.8.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.9.5/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= -github.com/klauspost/compress v1.9.7/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= @@ -1113,13 +1072,9 @@ github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8 github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/compress v1.13.0 h1:2T7tUoQrQT+fQWdaY5rjWztFGAFwbGD04iPJg90ZiOs= github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/cpuid v1.2.2/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid v1.3.1/go.mod h1:bYW4mA6ZgKPob1/Dlai2LviZJO7KGI3uoWLd42rAQw4= github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= -github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= -github.com/klauspost/readahead v1.3.1/go.mod h1:AH9juHzNH7xqdqFHrMRSHeH2Ps+vFf+kblDqzPFiLJg= -github.com/klauspost/reedsolomon v1.9.3/go.mod h1:CwCi+NUr9pqSVktrkN+Ondf06rkhYZ/pcNv7fu+8Un4= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1135,7 +1090,6 @@ github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/kyverno/go-jmespath v0.4.1-0.20210511164400-a1d46efa2ed6 h1:3toVuFm87/kV8FSub2JSnjSuLz3l521ON4sOpvuTNbk= github.com/kyverno/go-jmespath v0.4.1-0.20210511164400-a1d46efa2ed6/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= @@ -1173,7 +1127,6 @@ github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= @@ -1198,12 +1151,10 @@ github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8= github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= -github.com/mattn/go-ieproxy v0.0.0-20190805055040-f9202b1cfdeb/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= -github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= @@ -1226,28 +1177,19 @@ github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88J github.com/mediocregopher/radix/v4 v4.0.0-beta.1/go.mod h1:Z74pilm773ghbGV4EEoPvi6XWgkAfr0VCNkfa8gI1PU= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= -github.com/miekg/dns v1.1.8/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs= github.com/minio/argon2 v1.0.0/go.mod h1:XtOGJ7MjwUJDPtCqqrisx5QwVB/jDx+adQHigJVsQHQ= -github.com/minio/cli v1.22.0/go.mod h1:bYxnK0uS629N3Bq+AOZZ+6lwF77Sodk4+UL9vNuXhOY= -github.com/minio/gokrb5/v7 v7.2.5/go.mod h1:z6fE6twrvMN004M+KRTHnmtfpxsBIztP0PVsak0/4f8= -github.com/minio/hdfs/v3 v3.0.1/go.mod h1:6ALh9HsAwG9xAXdpdrZJcSY0vR6z3K+9XIz6Y9pQG/c= -github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5dxBpaMbdc= -github.com/minio/lsync v1.0.1/go.mod h1:tCFzfo0dlvdGl70IT4IAK/5Wtgb0/BrTmo/jE8pArKA= github.com/minio/madmin-go v1.0.12/go.mod h1:BK+z4XRx7Y1v8SFWXsuLNqQqnq5BO/axJ8IDJfgyvfs= github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= -github.com/minio/minio v0.0.0-20200114012931-30922148fbb5 h1:CjDeQ78sVdDrENJff3EUwVMUv9GfTL4NyLvjE/Bvrd8= -github.com/minio/minio v0.0.0-20200114012931-30922148fbb5/go.mod h1:HH1U0HOUzfjsCGlGCncWDh8L3zPejMhMDDsLAETqXs0= -github.com/minio/minio-go/v6 v6.0.44/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg= github.com/minio/minio-go/v7 v7.0.11-0.20210302210017-6ae69c73ce78/go.mod h1:mTh2uJuAbEqdhMVl6CMIIZLUeiMiWtJR4JB8/5g2skw= -github.com/minio/parquet-go v0.0.0-20191231003236-20b3c07bcd2c/go.mod h1:sl82d+TnCE7qeaNJazHdNoG9Gpyl9SZYfleDAQWrsls= github.com/minio/pkg v1.0.7 h1:+vUH/qWfjVpysbVJeebkhCh8QqQ8H6uYdmqLfb34X2E= github.com/minio/pkg v1.0.7/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14= +github.com/minio/pkg v1.1.3 h1:J4vGnlNSxc/o9gDOQMZ3k0L3koA7ZgBQ7GRMrUpt/OY= +github.com/minio/pkg v1.1.3/go.mod h1:32x/3OmGB0EOi1N+3ggnp+B5VFkSBBB9svPMVfpnf14= github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= github.com/minio/sha256-simd v1.0.0/go.mod h1:OuYzVNI5vcoYIAmbIvHPl3N3jUzVedXbKy5RFepssQM= -github.com/minio/sio v0.2.0/go.mod h1:nKM5GIWSrqbOZp0uhyj6M1iA0X6xQzSGtYSaTKSCut0= github.com/minio/sio v0.2.1/go.mod h1:8b0yPp2avGThviy/+OCJBI6OMpvxoUuiLvE6F1lebhw= github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= @@ -1298,24 +1240,16 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mwitkow/go-proto-validators v0.0.0-20180403085117-0950a7990007/go.mod h1:m2XC9Qq0AlmmVksL6FktJCdTYyLk7V3fKyp0sl1yWQo= github.com/mwitkow/go-proto-validators v0.2.0/go.mod h1:ZfA1hW+UH/2ZHOWvQ3HnQaU0DtnpXu850MZiy+YUgcc= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/nats-io/gnatsd v1.4.1/go.mod h1:nqco77VO78hLCJpIcVfygDP2rPGfsEHkGTUk94uh5DQ= -github.com/nats-io/go-nats v1.7.2/go.mod h1:+t7RHT5ApZebkrQdnn6AhQJmhJJiKAvJUio1PiiCtj0= -github.com/nats-io/go-nats-streaming v0.4.4/go.mod h1:gfq4R3c9sKAINOpelo0gn/b9QDMBZnmrttcsNF+lqyo= github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= -github.com/nats-io/nats-server v1.4.1/go.mod h1:c8f/fHd2B6Hgms3LtCaI7y6pC4WD1f4SUxcCud5vhBc= github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= -github.com/nats-io/nats-streaming-server v0.14.2/go.mod h1:RyqtDJZvMZO66YmyjIYdIvS69zu/wDAkyNWa8PIUa5c= github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/nats-io/stan.go v0.4.5/go.mod h1:Ji7mK6gRZJSH1nc3ZJH6vi7zn/QnZhpR9Arm4iuzsUQ= -github.com/ncw/directio v1.0.5/go.mod h1:rX/pKEYkOXBGOggmcyJeJGloCkleSvphPx2eV3t6ROk= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso= -github.com/nsqio/go-nsq v1.0.7/go.mod h1:XP5zaUs3pqf+Q71EqUJs3HYfBIqfK6G83WQMdNN+Ito= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -1398,7 +1332,6 @@ github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FI github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc= github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ= -github.com/pborman/getopt v0.0.0-20180729010549-6fdd0a2c7117/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= @@ -1416,7 +1349,6 @@ github.com/peterh/liner v0.0.0-20170211195444-bf27d3ba8e1d/go.mod h1:xIteQHvHuaL github.com/philhofer/fwd v1.1.1/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pierrec/lz4 v2.2.6+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -1488,7 +1420,6 @@ github.com/pseudomuto/protoc-gen-doc v1.4.1/go.mod h1:exDTOVwqpp30eV/EDPFLZy3Pwr github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q= github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= -github.com/rcrowley/go-metrics v0.0.0-20190704165056-9c2d0518ed81/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= github.com/rjeczalik/notify v0.9.2/go.mod h1:aErll2f0sUX9PXZnVNyeiObbmTlk5jnMoCa4QEjJeqM= @@ -1500,7 +1431,6 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM= github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= @@ -1521,7 +1451,6 @@ github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdh github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= -github.com/secure-io/sio-go v0.3.0/go.mod h1:D3KmXgKETffyYxBdFRN+Hpd2WzhzqS0EQwT3XWsAcBU= github.com/secure-io/sio-go v0.3.1/go.mod h1:+xbkjDzPjwh4Axd07pRKSNriS9SCiYksWnZqdnfpQxs= github.com/segmentio/ksuid v1.0.3/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= @@ -1531,7 +1460,6 @@ github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/shibumi/go-pathspec v1.2.0 h1:KVKEDHYk7bQolRMs7nfzjT3SBOCgcXFJzccnj9bsGbA= github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY= -github.com/shirou/gopsutil v2.18.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= github.com/shirou/gopsutil/v3 v3.21.4/go.mod h1:ghfMypLDrFSWN2c9cDYFLHyynQ+QUht0cv/18ZqVczw= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sigstore/cosign v1.0.0 h1:jvsRP8ZfEc5jAnj2cGQo5S02VQ7h7rXwpiXYJF4n0+0= @@ -1556,9 +1484,7 @@ github.com/sirupsen/logrus v1.8.0/go.mod h1:4GuYW9TZmE769R5STWrRakJc4UqQ3+QQ95fy github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog= -github.com/skyrings/skyring-common v0.0.0-20160929130248-d1c0bb1cbd5e/go.mod h1:d8hQseuYt4rJoOo21lFzYJdhMjmDqLY++ayArbgYjWI= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/assertions v0.0.0-20190401211740-f487f9de1cd3/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM= github.com/smartystreets/assertions v1.1.1/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N3yZFZkDFs= @@ -1638,12 +1564,9 @@ github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpu github.com/theupdateframework/go-tuf v0.0.0-20210630170422-22a94818d17b/go.mod h1:L+uU/NRFK/7h0NYAnsmvsX9EghDB5QVCcHCIrK2h5nw= github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396 h1:j4odVZMwglHp54CYsNHd0wls+lkQzxloQU9AQjQu0W4= github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396/go.mod h1:L+uU/NRFK/7h0NYAnsmvsX9EghDB5QVCcHCIrK2h5nw= -github.com/tidwall/gjson v1.3.5/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls= -github.com/tidwall/match v1.0.1/go.mod h1:LujAq0jyVjBy028G1WhWfIzbpQfMO8bBZ6Tyb0+pL9E= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= -github.com/tidwall/sjson v1.0.4/go.mod h1:bURseu1nuBkFpIES5cz6zBtjmYeOQmEESshn7VpF15Y= github.com/tilinna/clock v1.0.2/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= github.com/tilinna/clock v1.1.0/go.mod h1:ZsP7BcY7sEEz7ktc0IVy8Us6boDrK8VradlKRUGfOao= github.com/tinylib/msgp v1.1.3/go.mod h1:+d+yLhGm8mzTaHzB+wgMYrodPfmZrzkirds8fDWklFE= @@ -1662,10 +1585,8 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= -github.com/ugorji/go v1.1.5-pre/go.mod h1:FwP/aQVg39TXzItUBMwnWp9T9gPQnXw4Poh4/oBQZ/0= github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= -github.com/ugorji/go/codec v1.1.5-pre/go.mod h1:tULtS6Gy1AE1yCENaw4Vb//HLH5njI2tfCQDUqRd8fI= github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY= github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= @@ -1676,7 +1597,6 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= -github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= github.com/vdemeester/k8s-pkg-credentialprovider v1.19.7 h1:MJ5fV2Z0OyIuPvFVs0vi6VjTjxpdK1QT8oX/aWiUjYM= github.com/vdemeester/k8s-pkg-credentialprovider v1.19.7/go.mod h1:K2nMO14cgZitdwBqdQps9tInJgcaXcU/7q5F59lpbNI= github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= @@ -1698,7 +1618,6 @@ github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+ github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/stringprep v0.0.0-20180714160509-73f8eece6fdc/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= -github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= @@ -1824,14 +1743,12 @@ golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181106171534-e4dc69e5b2fd/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= golang.org/x/crypto v0.0.0-20190424203555-c05e17bb3b2d/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -2027,7 +1944,6 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -2042,7 +1958,6 @@ golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2058,7 +1973,6 @@ golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -2153,7 +2067,6 @@ golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fq golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -2311,7 +2224,6 @@ google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.3.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.6.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= @@ -2323,12 +2235,10 @@ google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoA google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20181107211654-5fc9ac540362/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190513181449-d00d292a067c/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190522204451-c2c4e71fbf69/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= google.golang.org/genproto v0.0.0-20190620144150-6af8c5fc6601/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= @@ -2446,7 +2356,6 @@ google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+Rur google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= -gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -2468,20 +2377,11 @@ gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWd gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/ini.v1 v1.48.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.57.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/jcmturner/aescts.v1 v1.0.1/go.mod h1:nsR8qBOg+OucoIW+WMhB3GspUQXq9XorLnQb9XtvcOo= -gopkg.in/jcmturner/dnsutils.v1 v1.0.1/go.mod h1:m3v+5svpVOhtFAP/wSz+yzh4Mc0Fg7eRhxkJMWSIz9Q= -gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4= -gopkg.in/jcmturner/gokrb5.v7 v7.2.3/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuvyavf11/WM= -gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8= -gopkg.in/ldap.v3 v3.0.3/go.mod h1:oxD7NyBuxchC+SgJDE1Q5Od05eGt29SDQVBmV+HYbzw= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= -gopkg.in/olivere/elastic.v5 v5.0.80/go.mod h1:uhHoB4o3bvX5sorxBU29rPcmBQdV2Qfg0FBrx5D6pV0= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= @@ -2492,7 +2392,6 @@ gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzW gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= -gopkg.in/urfave/cli.v1 v1.20.0/go.mod h1:vuBzUtMdQeixQj8LVd+/98pzhxNGQoyuPBlsXHOQNO0= gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index 921f8b100d..f3e864d374 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -3,15 +3,16 @@ package engine import ( "encoding/json" "fmt" + "time" + "github.com/go-logr/logr" v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/cosign" "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/engine/utils" - "github.com/minio/minio/pkg/wildcard" + "github.com/minio/pkg/wildcard" "sigs.k8s.io/controller-runtime/pkg/log" - "time" ) func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineResponse) { From dc6694029cc741f6a1923faab2fed05b6c93cd87 Mon Sep 17 00:00:00 2001 From: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Date: Wed, 29 Sep 2021 02:30:49 +0530 Subject: [PATCH 17/50] Update anti-affinity to the soft limit (#2441) --- charts/kyverno/templates/deployment.yaml | 18 ++++++++++-------- definitions/install.yaml | 18 ++++++++++-------- definitions/manifest/deployment.yaml | 18 ++++++++++-------- 3 files changed, 30 insertions(+), 24 deletions(-) diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml index 299831ebd6..4e0521b20e 100644 --- a/charts/kyverno/templates/deployment.yaml +++ b/charts/kyverno/templates/deployment.yaml @@ -33,14 +33,16 @@ spec: {{- if .Values.antiAffinity.enable }} affinity: podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - kyverno - topologyKey: {{ .Values.antiAffinity.topologyKey }} + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - kyverno + topologyKey: {{ .Values.antiAffinity.topologyKey }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }} diff --git a/definitions/install.yaml b/definitions/install.yaml index 090e7b3955..3c2cc9426a 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -6590,14 +6590,16 @@ spec: spec: affinity: podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - kyverno - topologyKey: kubernetes.io/hostname + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - kyverno + topologyKey: kubernetes.io/hostname + weight: 1 containers: - args: - --filterK8sResources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*] diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml index cc28942734..c4d63c12d3 100755 --- a/definitions/manifest/deployment.yaml +++ b/definitions/manifest/deployment.yaml @@ -23,14 +23,16 @@ spec: spec: affinity: podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: - - kyverno - topologyKey: "kubernetes.io/hostname" + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - kyverno + topologyKey: "kubernetes.io/hostname" serviceAccountName: kyverno-service-account securityContext: runAsNonRoot: true From ff540bfb067b83797c25765108d9ec5f4bf69140 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Wed, 29 Sep 2021 10:59:54 +0530 Subject: [PATCH 18/50] removing print statement Signed-off-by: NoSkillGirl --- pkg/engine/validate/utils.go | 9 --------- pkg/engine/validate/validate.go | 11 ----------- 2 files changed, 20 deletions(-) diff --git a/pkg/engine/validate/utils.go b/pkg/engine/validate/utils.go index cd53eaa58d..1edde4a8d5 100644 --- a/pkg/engine/validate/utils.go +++ b/pkg/engine/validate/utils.go @@ -2,7 +2,6 @@ package validate import ( "container/list" - "fmt" commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor/common" ) @@ -11,7 +10,6 @@ import ( func hasNestedAnchors(pattern interface{}) bool { switch typed := pattern.(type) { case map[string]interface{}: - fmt.Println("map[string]interface{}......") if anchors := getAnchorsFromMap(typed); len(anchors) > 0 { return true } @@ -22,7 +20,6 @@ func hasNestedAnchors(pattern interface{}) bool { } return false case []interface{}: - fmt.Println("[]interface{}......") for _, value := range typed { if hasNestedAnchors(value) { return true @@ -30,7 +27,6 @@ func hasNestedAnchors(pattern interface{}) bool { } return false default: - fmt.Println("default......") return false } } @@ -38,20 +34,15 @@ func hasNestedAnchors(pattern interface{}) bool { // getSortedNestedAnchorResource - sorts anchors key func getSortedNestedAnchorResource(resources map[string]interface{}) *list.List { sortedResourceKeys := list.New() - fmt.Println("\n-----------getSortedNestedAnchorResource------------") - fmt.Println("resources: ", resources) for k, v := range resources { - fmt.Println("k: ", k, " v:", v) if commonAnchors.IsGlobalAnchor(k) { sortedResourceKeys.PushFront(k) continue } if hasNestedAnchors(v) { sortedResourceKeys.PushFront(k) - fmt.Println("PushFront") } else { sortedResourceKeys.PushBack(k) - fmt.Println("PushBack") } } return sortedResourceKeys diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index 31317b6b8e..979aaf55bb 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -36,11 +36,6 @@ func ValidateResourceWithPattern(logger logr.Logger, resource, pattern interface // and calls corresponding handler // Pattern tree and resource tree can have different structure. In this case validation fails func validateResourceElement(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string, ac *common.AnchorKey) (string, error) { - fmt.Println("\n---------------validateResourceElement--------------") - fmt.Println("resourceElement: ", resourceElement) - fmt.Println("patternElement: ", patternElement) - fmt.Println("originPattern: ", originPattern) - fmt.Println("path: ", path) switch typedPatternElement := patternElement.(type) { // map case map[string]interface{}: @@ -88,11 +83,6 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o // If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap // For each element of the map we must detect the type again, so we pass these elements to validateResourceElement func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string, ac *common.AnchorKey) (string, error) { - fmt.Println("\n-------------validateMap----------------") - fmt.Println("resourceMap: ", resourceMap) - fmt.Println("patternMap: ", patternMap) - fmt.Println("origPattern: ", origPattern) - fmt.Println("path: ", path) patternMap = wildcards.ExpandInMetadata(patternMap, resourceMap) // check if there is anchor in pattern // Phase 1 : Evaluate all the anchors @@ -121,7 +111,6 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{} sortedResourceKeys := getSortedNestedAnchorResource(resources) for e := sortedResourceKeys.Front(); e != nil; e = e.Next() { key := e.Value.(string) - fmt.Println("key picked: ", key) handler := anchor.CreateElementHandler(key, resources[key], path) handlerPath, err := handler.Handle(validateResourceElement, resourceMap, origPattern, ac) if err != nil { From 9513cca68fcac9b27d41de077096df8ba68f3c1f Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Wed, 29 Sep 2021 11:02:07 +0530 Subject: [PATCH 19/50] removing commented test case Signed-off-by: NoSkillGirl --- pkg/engine/validate/validate_test.go | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 2161222b4c..904a165e27 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1557,38 +1557,32 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { resource: []byte(`{"metadata": {"name": "nginx"},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}], "imagePullSecrets": [{"name": "cred"}]}}`), nilErr: false, }, - // { - // name: "test-32", - // pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), - // resource: []byte(`{"metadata": {"name": "nginx1","labels": {"foo1": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}]}}`), - // nilErr: true, - // }, { - name: "test-33", + name: "test-32", pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), resource: []byte(`{"metadata": {"name": "nginx","labels": {"foo": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx"}]}}`), nilErr: true, }, { - name: "test-34", + name: "test-33", pattern: []byte(`{"metadata": {"labels": {"<(foo)": "bar"}},"spec": {"containers": [{"name": "nginx","image": "!*:latest"}]}}`), resource: []byte(`{"metadata": {"name": "nginx","labels": {"foo": "bar"}},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}]}}`), nilErr: false, }, { - name: "test-35", + name: "test-34", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx"}], "imagePullSecrets": [{"name": "cred"}]}}`), nilErr: false, }, { - name: "test-36", + name: "test-35", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "somepod"}], "imagePullSecrets": [{"name": "cred"}]}}`), nilErr: true, }, { - name: "test-37", + name: "test-36", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx"}], "imagePullSecrets": [{"name": "my-registry-secret"}]}}`), nilErr: true, From 34da0a993ec60a0141b91500b6e7573f3fab571f Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Wed, 29 Sep 2021 11:02:48 +0530 Subject: [PATCH 20/50] Fix No warning about background mode when using any / all in match --- pkg/policy/background.go | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/pkg/policy/background.go b/pkg/policy/background.go index 95ed1c21e8..aa25ca0f06 100644 --- a/pkg/policy/background.go +++ b/pkg/policy/background.go @@ -25,6 +25,38 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error { return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/%s", idx, path) } + if len(rule.MatchResources.Any) > 0 { + for i, value := range rule.MatchResources.Any { + if path := userInfoDefined(value.UserInfo); path != "" { + return fmt.Errorf("invalid variable used at path: spec/rules[%d]/match/any[%d]/%s", idx, i, path) + } + } + } + + if len(rule.MatchResources.All) > 0 { + for i, value := range rule.MatchResources.All { + if path := userInfoDefined(value.UserInfo); path != "" { + return fmt.Errorf("invalid variable used at path: spec/rules[%d]/match/all[%d]/%s", idx, i, path) + } + } + } + + if len(rule.ExcludeResources.All) > 0 { + for i, value := range rule.ExcludeResources.All { + if path := userInfoDefined(value.UserInfo); path != "" { + return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/any[%d]/%s", idx, i, path) + } + } + } + + if len(rule.ExcludeResources.Any) > 0 { + for i, value := range rule.ExcludeResources.Any { + if path := userInfoDefined(value.UserInfo); path != "" { + return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/all[%d]/%s", idx, i, path) + } + } + } + filterVars := []string{"request.object", "request.namespace", "images"} ctx := context.NewContext(filterVars...) From 575f3627fc8001a33a5bfd1ba9aaa402e9d2050e Mon Sep 17 00:00:00 2001 From: Anita-ihuman <62384659+Anita-ihuman@users.noreply.github.com> Date: Thu, 30 Sep 2021 04:52:03 +0100 Subject: [PATCH 21/50] Updating the Contributing.md file (#2450) * create configuration for behaviour bot Signed-off-by: Anita-ihuman * adding contributor images Signed-off-by: Anita-ihuman * fixed typo in config.yml Signed-off-by: Anita-ihuman * including config file to ignore. Signed-off-by: Anita-ihuman * refined the contributing.md file Signed-off-by: Anita-ihuman * updated the contributing.md file Signed-off-by: Anita-ihuman * updated the contributing.md file Signed-off-by: Anita-ihuman * updated the contributing.md file Signed-off-by: Anita-ihuman --- CONTRIBUTING.md | 74 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 64 insertions(+), 10 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2ba0c8b6f5..06faba4a73 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,20 +2,74 @@ We welcome all contributions, suggestions, and feedback, so please do not hesitate to reach out! -The easiest way to reach us is on the [Kubernetes slack #kyverno channel](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9). -## Ways you can contribute -- Report potential bugs -- Request a feature -- Request a sample policy -- Join our community meetings -- Submit a PR for [open issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) -- Fix or improve documentation +## Ways you can contribute: + - [Report Issues](https://github.com/kyverno/kyverno/blob/main/CONTRIBUTING.md#report-issues) + - [Submit Pull Requests](https://github.com/kyverno/kyverno/blob/main/CONTRIBUTING.md#submit-pull-requests) + - [Fix or Improve Documentation](https://github.com/kyverno/kyverno/blob/main/CONTRIBUTING.md#fix-or-improve-documentation) + - [Join Our Community Meetings](https://github.com/kyverno/kyverno/blob/main/CONTRIBUTING.md#join-our-community-meetings) + +### Report issues + - Report potential bugs + - Request a feature + - Request a sample policy + +### Submit Pull Requests +#### Setup local development environments +- Please refer to [Running in development mode](https://github.com/kyverno/kyverno/wiki/Running-in-development-mode) for local setup. + +#### Submit a PR for [open issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) +### Fix or Improve Documentation + - [Kyverno Docs](https://github.com/kyverno/website) + #### Get started + +Head over to project repository on github and click the **"Fork"** button. With the forked copy, you can try new ideas and implement changes to the project. + + - **Clone the repository to your device:** + +Get the link of your forked repository, paste it in your device terminal and clone it using the command. + +``` +$ git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY +``` + + - **Create a branch:** + + Create a new brach and navigate to the branch using this command. + + ``` + $ git checkout -b + ``` + + Great, its time to start hacking, You can now go ahead to make all the changes you want. + + + - **Stage, Commit and Push changes:** + + Now that we have implemented the required changes, use the command below to stage the changes and commit them + + ``` + $ git add . + ``` + + ``` + $ git commit -s -m "Commit message" + ``` + + The -s signifies that you have signed off the the commit. + + Go ahead and push your changes to github using this command. + + ``` + $ git push + ``` + + -The [Kyverno Wiki](https://github.com/kyverno/kyverno/wiki) contains details on code design, building, and testing. Please review all sections. Before you contribute, please review and agree to abide by our community [Code of Conduct](/CODE_OF_CONDUCT.md). - +### Join Our Community Meetings + The easiest way to reach us is on the [Kubernetes slack #kyverno channel](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9). ## Developer Certificate of Origin (DCO) Sign off For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work. From af944b9cd56d71ac25da1a05178138d5defca0a7 Mon Sep 17 00:00:00 2001 From: shuting Date: Wed, 29 Sep 2021 20:53:34 -0700 Subject: [PATCH 22/50] Add new fields `webhookTimeoutSeconds` and `failurePolicy` to the policy Spec (#2456) * add tag WebhookTimeoutSeconds to policy spec Signed-off-by: ShutingZhao * add spec.failurePolicy Signed-off-by: ShutingZhao --- charts/kyverno/templates/crds.yaml | 26 +++++++++++++ .../crds/kyverno.io_clusterpolicies.yaml | 19 ++++++++++ definitions/crds/kyverno.io_policies.yaml | 19 ++++++++++ definitions/install.yaml | 38 +++++++++++++++++++ definitions/install_debug.yaml | 38 +++++++++++++++++++ pkg/api/kyverno/v1/clusterpolicy_types.go | 1 + pkg/api/kyverno/v1/policy_types.go | 24 ++++++++++++ pkg/api/kyverno/v1/zz_generated.deepcopy.go | 10 +++++ 8 files changed, 175 insertions(+) diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 095bb0e4f5..68561fe05a 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -31,6 +31,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -53,6 +56,12 @@ spec: background: description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: @@ -956,6 +965,10 @@ spec: validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime data. @@ -2172,6 +2185,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -2194,6 +2210,12 @@ spec: background: description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: @@ -3097,6 +3119,10 @@ spec: validationFailureAction: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml index ef97738723..89805ce407 100644 --- a/definitions/crds/kyverno.io_clusterpolicies.yaml +++ b/definitions/crds/kyverno.io_clusterpolicies.yaml @@ -25,6 +25,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -56,6 +59,15 @@ spec: that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -1538,6 +1550,13 @@ spec: or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime data. diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml index d19eea8917..2b214b4bbc 100644 --- a/definitions/crds/kyverno.io_policies.yaml +++ b/definitions/crds/kyverno.io_policies.yaml @@ -25,6 +25,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -57,6 +60,15 @@ spec: that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -1539,6 +1551,13 @@ spec: or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime information. Deprecated. Policy diff --git a/definitions/install.yaml b/definitions/install.yaml index 3c2cc9426a..3ce90b1a74 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -43,6 +43,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -74,6 +77,15 @@ spec: that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -1556,6 +1568,13 @@ spec: or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime data. @@ -3162,6 +3181,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -3194,6 +3216,15 @@ spec: that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -4676,6 +4707,13 @@ spec: or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime information. Deprecated. Policy diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 07980ca2e8..7c2f4a6aa3 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -30,6 +30,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -61,6 +64,15 @@ spec: that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -1543,6 +1555,13 @@ spec: or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime data. @@ -3121,6 +3140,9 @@ spec: - jsonPath: .spec.validationFailureAction name: Action type: string + - jsonPath: .spec.failurePolicy + name: Failure Policy + type: string - jsonPath: .status.ready name: Ready type: string @@ -3153,6 +3175,15 @@ spec: that are only available in the admission review request (e.g. user name). type: boolean + failurePolicy: + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. + enum: + - Ignore + - Fail + type: string rules: description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. @@ -4635,6 +4666,13 @@ spec: or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. + format: int32 + type: integer type: object status: description: Status contains policy runtime information. Deprecated. Policy diff --git a/pkg/api/kyverno/v1/clusterpolicy_types.go b/pkg/api/kyverno/v1/clusterpolicy_types.go index 68d53b2a85..8a047dcd60 100644 --- a/pkg/api/kyverno/v1/clusterpolicy_types.go +++ b/pkg/api/kyverno/v1/clusterpolicy_types.go @@ -13,6 +13,7 @@ import ( // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol // +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background" // +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction" +// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy" // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.ready` type ClusterPolicy struct { metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"` diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 98eecc6612..6cb0c38aba 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -22,6 +22,7 @@ type PolicyList struct { // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background" // +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction" +// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy" // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.ready` // +kubebuilder:resource:shortName=pol type Policy struct { @@ -44,6 +45,12 @@ type Spec struct { // each rule can validate, mutate, or generate resources. Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"` + // FailurePolicy defines how unrecognized errors from the admission endpoint are handled. + // Rules within the same policy share the same failure behavior. + // Allowed values are Ignore or Fail. Defaults to Fail. + // +optional + FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` + // ValidationFailureAction controls if a validation policy rule failure should disallow // the admission review request (enforce), or allow (audit) the admission review request // and report an error in a policy report. Optional. The default value is "audit". @@ -60,6 +67,12 @@ type Spec struct { // Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. // +optional SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"` + + // WebhookTimeoutSeconds specifies the webhook timeout for this policy. + // After the timeout passes, the admission request will fail based on the failure policy. + // The default timeout is 3s, the value must be between 1 and 30 seconds. + // Default to 10 seconds. + WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"` } // Rule defines a validation, mutation, or generation control for matching resources. @@ -113,6 +126,17 @@ type Rule struct { VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"` } +// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled. +// +kubebuilder:validation:Enum=Ignore;Fail +type FailurePolicyType string + +const ( + // Ignore means that an error calling the webhook is ignored. + Ignore FailurePolicyType = "Ignore" + // Fail means that an error calling the webhook causes the admission to fail. + Fail FailurePolicyType = "Fail" +) + // AnyAllCondition consists of conditions wrapped denoting a logical criteria to be fulfilled. // AnyConditions get fulfilled when at least one of its sub-conditions passes. // AllConditions get fulfilled only when all of its sub-conditions pass. diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go index 063431ff50..cf0b16562e 100755 --- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go +++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go @@ -657,6 +657,11 @@ func (in *Spec) DeepCopyInto(out *Spec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.FailurePolicy != nil { + in, out := &in.FailurePolicy, &out.FailurePolicy + *out = new(FailurePolicyType) + **out = **in + } if in.Background != nil { in, out := &in.Background, &out.Background *out = new(bool) @@ -667,6 +672,11 @@ func (in *Spec) DeepCopyInto(out *Spec) { *out = new(bool) **out = **in } + if in.WebhookTimeoutSeconds != nil { + in, out := &in.WebhookTimeoutSeconds, &out.WebhookTimeoutSeconds + *out = new(int32) + **out = **in + } return } From 5b5a85c16a5cb54fe6f9ac3e4de740b851d7f350 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Thu, 30 Sep 2021 00:04:13 -0700 Subject: [PATCH 23/50] change RuleStatus values to lowercase Signed-off-by: Jim Bugwadia --- pkg/engine/response/response_test.go | 2 +- pkg/engine/response/status.go | 20 +++++++++---------- pkg/kyverno/apply/report_test.go | 2 +- pkg/testrunner/scenario_test.go | 2 +- test/cli/test-fail/missing-rule/test.yaml | 2 +- test/cli/test/simple/test.yaml | 8 ++++---- .../other/scenario_mutate_endpoint.yaml | 2 +- .../other/scenario_mutate_pod_spec.yaml | 2 +- .../other/scenario_mutate_validate_qos.yaml | 4 ++-- .../scenario_validate_default_proc_mount.yaml | 2 +- ...idate_disallow_default_serviceaccount.yaml | 2 +- .../other/scenario_validate_healthChecks.yaml | 4 ++-- .../scenario_validate_selinux_context.yaml | 2 +- .../scenario_validate_volume_whiltelist.yaml | 2 +- .../best_practices/add_networkPolicy.yaml | 2 +- .../samples/best_practices/add_ns_quota.yaml | 4 ++-- .../best_practices/add_safe_to_evict.yaml | 2 +- .../best_practices/add_safe_to_evict2.yaml | 2 +- .../disallow_bind_mounts_fail.yaml | 2 +- .../disallow_bind_mounts_pass.yaml | 2 +- .../disallow_host_network_port.yaml | 4 ++-- .../best_practices/disallow_host_pid_ipc.yaml | 2 +- .../best_practices/disallow_priviledged.yaml | 4 ++-- .../best_practices/disallow_sysctls.yaml | 2 +- .../more/restrict_automount_sa_token.yaml | 2 +- .../more/restrict_ingress_classes.yaml | 2 +- .../samples/more/unknown_ingress_class.yaml | 2 +- 27 files changed, 44 insertions(+), 44 deletions(-) diff --git a/pkg/engine/response/response_test.go b/pkg/engine/response/response_test.go index caf15d8876..31af153db0 100644 --- a/pkg/engine/response/response_test.go +++ b/pkg/engine/response/response_test.go @@ -16,7 +16,7 @@ resource: rules: - name: validate-hostPath type: Validation - status: Fail + status: fail ` func Test_parse_yaml(t *testing.T) { diff --git a/pkg/engine/response/status.go b/pkg/engine/response/status.go index a35f9623f8..d5f050cb86 100644 --- a/pkg/engine/response/status.go +++ b/pkg/engine/response/status.go @@ -32,19 +32,19 @@ func (s *RuleStatus) String() string { } var toString = map[RuleStatus]string{ - RuleStatusPass: "Pass", - RuleStatusFail: "Fail", - RuleStatusWarn: "Warning", - RuleStatusError: "Error", - RuleStatusSkip: "Skip", + RuleStatusPass: "pass", + RuleStatusFail: "fail", + RuleStatusWarn: "warning", + RuleStatusError: "error", + RuleStatusSkip: "skip", } var toID = map[string]RuleStatus{ - "Pass": RuleStatusPass, - "Fail": RuleStatusFail, - "Warning": RuleStatusWarn, - "Error": RuleStatusError, - "Skip": RuleStatusSkip, + "pass": RuleStatusPass, + "fail": RuleStatusFail, + "warning": RuleStatusWarn, + "error": RuleStatusError, + "skip": RuleStatusSkip, } // MarshalJSON marshals the enum as a quoted json string diff --git a/pkg/kyverno/apply/report_test.go b/pkg/kyverno/apply/report_test.go index 1abe4d56cc..a3a899463d 100644 --- a/pkg/kyverno/apply/report_test.go +++ b/pkg/kyverno/apply/report_test.go @@ -86,7 +86,7 @@ var rawPolicy = []byte(` } `) -var rawEngRes = []byte(`{"PatchedResource":{"apiVersion":"v1","kind":"Pod","metadata":{"name":"nginx1","namespace":"default"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"IfNotPresent","name":"nginx","resources":{"limits":{"cpu":"200m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"50Mi"}}}]}},"PolicyResponse":{"policy":{"name":"pod-requirements","namespace":""},"resource":{"kind":"Pod","apiVersion":"v1","namespace":"default","name":"nginx1","uid":""},"processingTime":974958,"rulesAppliedCount":2,"policyExecutionTimestamp":1630527712,"rules":[{"name":"pods-require-account","type":"Validation","message":"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/","status":"Fail","processingTime":28833,"ruleExecutionTimestamp":1630527712},{"name":"pods-require-limits","type":"Validation","message":"validation rule 'pods-require-limits' passed.","status":"Pass","processingTime":578625,"ruleExecutionTimestamp":1630527712}],"ValidationFailureAction":"audit"}}`) +var rawEngRes = []byte(`{"PatchedResource":{"apiVersion":"v1","kind":"Pod","metadata":{"name":"nginx1","namespace":"default"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"IfNotPresent","name":"nginx","resources":{"limits":{"cpu":"200m","memory":"100Mi"},"requests":{"cpu":"100m","memory":"50Mi"}}}]}},"PolicyResponse":{"policy":{"name":"pod-requirements","namespace":""},"resource":{"kind":"Pod","apiVersion":"v1","namespace":"default","name":"nginx1","uid":""},"processingTime":974958,"rulesAppliedCount":2,"policyExecutionTimestamp":1630527712,"rules":[{"name":"pods-require-account","type":"Validation","message":"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/","status":"fail","processingTime":28833,"ruleExecutionTimestamp":1630527712},{"name":"pods-require-limits","type":"Validation","message":"validation rule 'pods-require-limits' passed.","status":"pass","processingTime":578625,"ruleExecutionTimestamp":1630527712}],"ValidationFailureAction":"audit"}}`) func Test_buildPolicyReports(t *testing.T) { os.Setenv("POLICY-TYPE", common.PolicyReport) diff --git a/pkg/testrunner/scenario_test.go b/pkg/testrunner/scenario_test.go index ee2f420e92..541b14b475 100644 --- a/pkg/testrunner/scenario_test.go +++ b/pkg/testrunner/scenario_test.go @@ -26,7 +26,7 @@ expected: rules: - name: validate-hostPath type: Validation - status: Fail + status: fail ` func Test_parse_yaml(t *testing.T) { diff --git a/test/cli/test-fail/missing-rule/test.yaml b/test/cli/test-fail/missing-rule/test.yaml index 2eef4e23ea..78b6f68665 100644 --- a/test/cli/test-fail/missing-rule/test.yaml +++ b/test/cli/test-fail/missing-rule/test.yaml @@ -7,4 +7,4 @@ results: - policy: disallow-latest-tag rule: missing resource: test - status: Pass + status: pass diff --git a/test/cli/test/simple/test.yaml b/test/cli/test/simple/test.yaml index d2b48139c6..e5b6b01ec0 100644 --- a/test/cli/test/simple/test.yaml +++ b/test/cli/test/simple/test.yaml @@ -7,11 +7,11 @@ results: - policy: disallow-latest-tag rule: require-image-tag resource: test-require-image-tag-pass - status: Pass + status: pass - policy: disallow-latest-tag rule: require-image-tag resource: test-require-image-tag-fail - status: Fail + status: fail - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-ignore @@ -19,8 +19,8 @@ results: - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-fail - status: Fail + status: fail - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-pass - status: Pass + status: pass diff --git a/test/scenarios/other/scenario_mutate_endpoint.yaml b/test/scenarios/other/scenario_mutate_endpoint.yaml index 6cbc87316e..bd23745700 100644 --- a/test/scenarios/other/scenario_mutate_endpoint.yaml +++ b/test/scenarios/other/scenario_mutate_endpoint.yaml @@ -17,5 +17,5 @@ expected: rules: - name: pEP type: Mutation - status: Pass + status: pass message: successfully process JSON patches diff --git a/test/scenarios/other/scenario_mutate_pod_spec.yaml b/test/scenarios/other/scenario_mutate_pod_spec.yaml index 165930d718..4b8a1d26da 100644 --- a/test/scenarios/other/scenario_mutate_pod_spec.yaml +++ b/test/scenarios/other/scenario_mutate_pod_spec.yaml @@ -16,5 +16,5 @@ expected: rules: - name: disable-servicelink-and-token type: Mutation - status: Pass + status: pass message: successfully processed strategic merge patch \ No newline at end of file diff --git a/test/scenarios/other/scenario_mutate_validate_qos.yaml b/test/scenarios/other/scenario_mutate_validate_qos.yaml index 88ff5f52d6..8ddb792e20 100644 --- a/test/scenarios/other/scenario_mutate_validate_qos.yaml +++ b/test/scenarios/other/scenario_mutate_validate_qos.yaml @@ -17,7 +17,7 @@ expected: rules: - name: add-memory-limit type: Mutation - status: Pass + status: pass message: successfully processed strategic merge patch validation: policyresponse: @@ -33,4 +33,4 @@ expected: - name: check-cpu-memory-limits type: Validation message: validation rule 'check-cpu-memory-limits' passed. - status: Pass \ No newline at end of file + status: pass \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_default_proc_mount.yaml b/test/scenarios/other/scenario_validate_default_proc_mount.yaml index fd3340b29f..0a32ba778b 100644 --- a/test/scenarios/other/scenario_validate_default_proc_mount.yaml +++ b/test/scenarios/other/scenario_validate_default_proc_mount.yaml @@ -18,4 +18,4 @@ expected: - name: validate-default-proc-mount type: Validation message: "validation rule 'validate-default-proc-mount' passed." - status: Pass \ No newline at end of file + status: pass \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml index 40dffaf73b..0ea05ffe27 100644 --- a/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml +++ b/test/scenarios/other/scenario_validate_disallow_default_serviceaccount.yaml @@ -17,4 +17,4 @@ expected: - name: prevent-mounting-default-serviceaccount type: Validation message: "validation error: Prevent mounting of default service account. Rule prevent-mounting-default-serviceaccount failed at path /spec/serviceAccountName/" - status: Fail \ No newline at end of file + status: fail \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_healthChecks.yaml b/test/scenarios/other/scenario_validate_healthChecks.yaml index c892b9f373..7f73be242f 100644 --- a/test/scenarios/other/scenario_validate_healthChecks.yaml +++ b/test/scenarios/other/scenario_validate_healthChecks.yaml @@ -17,8 +17,8 @@ expected: - name: check-readinessProbe-exists type: Validation message: validation rule 'check-readinessProbe-exists' passed. - status: Pass + status: pass - name: check-livenessProbe-exists type: Validation message: validation rule 'check-livenessProbe-exists' passed. - status: Pass + status: pass diff --git a/test/scenarios/other/scenario_validate_selinux_context.yaml b/test/scenarios/other/scenario_validate_selinux_context.yaml index ecf777bf29..a10b6717a0 100644 --- a/test/scenarios/other/scenario_validate_selinux_context.yaml +++ b/test/scenarios/other/scenario_validate_selinux_context.yaml @@ -17,4 +17,4 @@ expected: - name: validate-selinux-options type: Validation message: "validation error: SELinux level is required. Rule validate-selinux-options failed at path /spec/containers/0/securityContext/seLinuxOptions/" - status: Fail \ No newline at end of file + status: fail \ No newline at end of file diff --git a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml index 6b3ded8bfa..14ddacdbff 100644 --- a/test/scenarios/other/scenario_validate_volume_whiltelist.yaml +++ b/test/scenarios/other/scenario_validate_volume_whiltelist.yaml @@ -18,4 +18,4 @@ expected: - name: validate-volumes-whitelist type: Validation message: "validation rule 'validate-volumes-whitelist' anyPattern[2] passed." - status: Pass \ No newline at end of file + status: pass \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_networkPolicy.yaml b/test/scenarios/samples/best_practices/add_networkPolicy.yaml index 558ce91f96..eb3ff0823e 100644 --- a/test/scenarios/samples/best_practices/add_networkPolicy.yaml +++ b/test/scenarios/samples/best_practices/add_networkPolicy.yaml @@ -20,5 +20,5 @@ expected: rules: - name: default-deny-ingress type: Generation - status: Pass + status: pass message: created resource NetworkPolicy/devtest/default-deny-ingress diff --git a/test/scenarios/samples/best_practices/add_ns_quota.yaml b/test/scenarios/samples/best_practices/add_ns_quota.yaml index f02c04fa94..2119b2a656 100644 --- a/test/scenarios/samples/best_practices/add_ns_quota.yaml +++ b/test/scenarios/samples/best_practices/add_ns_quota.yaml @@ -20,7 +20,7 @@ expected: rules: - name: generate-resourcequota type: Generation - status: Pass + status: pass - name: generate-limitrange type: Generation - status: Pass + status: pass diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml index a6721436f8..46c39b0381 100644 --- a/test/scenarios/samples/best_practices/add_safe_to_evict.yaml +++ b/test/scenarios/samples/best_practices/add_safe_to_evict.yaml @@ -17,5 +17,5 @@ expected: rules: - name: annotate-empty-dir type: Mutation - status: Pass + status: pass message: "successfully processed strategic merge patch" \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml index c1ed183500..085b3b0185 100644 --- a/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml +++ b/test/scenarios/samples/best_practices/add_safe_to_evict2.yaml @@ -17,5 +17,5 @@ expected: rules: - name: annotate-host-path type: Mutation - status: Pass + status: pass message: "successfully processed strategic merge patch" \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml index 490b1d3185..f76f4f0298 100644 --- a/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_fail.yaml @@ -17,4 +17,4 @@ expected: - name: validate-hostPath message: "validation error: Host path volumes are not allowed. Rule validate-hostPath failed at path /spec/volumes/0/hostPath/" type: Validation - status: Fail + status: fail diff --git a/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml index 19d8a8edac..ec46f5519d 100644 --- a/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml +++ b/test/scenarios/samples/best_practices/disallow_bind_mounts_pass.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-hostPath type: Validation - status: Pass \ No newline at end of file + status: pass \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml index 3560cf85cf..951fe703a1 100644 --- a/test/scenarios/samples/best_practices/disallow_host_network_port.yaml +++ b/test/scenarios/samples/best_practices/disallow_host_network_port.yaml @@ -16,7 +16,7 @@ expected: rules: - name: validate-host-network type: Validation - status: Pass + status: pass - name: validate-host-port type: Validation - status: Fail \ No newline at end of file + status: fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml index 0bedc4f1df..f91881b9b5 100644 --- a/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml +++ b/test/scenarios/samples/best_practices/disallow_host_pid_ipc.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-hostPID-hostIPC type: Validation - status: Fail \ No newline at end of file + status: fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_priviledged.yaml b/test/scenarios/samples/best_practices/disallow_priviledged.yaml index 8a418989db..f3612c8292 100644 --- a/test/scenarios/samples/best_practices/disallow_priviledged.yaml +++ b/test/scenarios/samples/best_practices/disallow_priviledged.yaml @@ -16,7 +16,7 @@ expected: rules: - name: validate-privileged type: Validation - status: Fail + status: fail - name: validate-allowPrivilegeEscalation type: Validation - status: Fail \ No newline at end of file + status: fail \ No newline at end of file diff --git a/test/scenarios/samples/best_practices/disallow_sysctls.yaml b/test/scenarios/samples/best_practices/disallow_sysctls.yaml index 79724bc503..8b18ac01df 100644 --- a/test/scenarios/samples/best_practices/disallow_sysctls.yaml +++ b/test/scenarios/samples/best_practices/disallow_sysctls.yaml @@ -17,4 +17,4 @@ expected: rules: - name: validate-sysctls type: Validation - status: Fail \ No newline at end of file + status: fail \ No newline at end of file diff --git a/test/scenarios/samples/more/restrict_automount_sa_token.yaml b/test/scenarios/samples/more/restrict_automount_sa_token.yaml index 8d39da19bd..0dabe29a84 100644 --- a/test/scenarios/samples/more/restrict_automount_sa_token.yaml +++ b/test/scenarios/samples/more/restrict_automount_sa_token.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-automountServiceAccountToken type: Validation - status: Pass \ No newline at end of file + status: pass \ No newline at end of file diff --git a/test/scenarios/samples/more/restrict_ingress_classes.yaml b/test/scenarios/samples/more/restrict_ingress_classes.yaml index adc5c3a61e..9bd0be41f8 100644 --- a/test/scenarios/samples/more/restrict_ingress_classes.yaml +++ b/test/scenarios/samples/more/restrict_ingress_classes.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-ingress type: Validation - status: Pass \ No newline at end of file + status: pass \ No newline at end of file diff --git a/test/scenarios/samples/more/unknown_ingress_class.yaml b/test/scenarios/samples/more/unknown_ingress_class.yaml index 7f096d8ac5..cd1d172250 100644 --- a/test/scenarios/samples/more/unknown_ingress_class.yaml +++ b/test/scenarios/samples/more/unknown_ingress_class.yaml @@ -16,4 +16,4 @@ expected: rules: - name: validate-ingress type: Validation - status: Fail \ No newline at end of file + status: fail \ No newline at end of file From 1ebd2c99f2089b48c111a10b5e5f03b78b0424f6 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Thu, 30 Sep 2021 23:34:04 -0700 Subject: [PATCH 24/50] add messages and set rule to skip when pattern does not match Signed-off-by: Jim Bugwadia --- pkg/engine/mutate/strategicPreprocessing.go | 2 +- pkg/engine/validate/validate.go | 25 ++++++++++--- pkg/engine/validation.go | 41 ++++++++++++--------- 3 files changed, 44 insertions(+), 24 deletions(-) diff --git a/pkg/engine/mutate/strategicPreprocessing.go b/pkg/engine/mutate/strategicPreprocessing.go index 4e78a6b5c3..0ca5de419d 100644 --- a/pkg/engine/mutate/strategicPreprocessing.go +++ b/pkg/engine/mutate/strategicPreprocessing.go @@ -335,7 +335,7 @@ func checkCondition(logger logr.Logger, pattern *yaml.RNode, resource *yaml.RNod return err } - err, _ = validate.MatchPattern(logger, resourceInterface, patternInterface) + err = validate.MatchPattern(logger, resourceInterface, patternInterface) if err != nil { return err } diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index 47c1511098..e041b71c52 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -12,9 +12,24 @@ import ( "github.com/kyverno/kyverno/pkg/engine/wildcards" ) + +type PatternError struct { + Err error + Path string + Skip bool +} + +func (e *PatternError) Error() string { + if e.Err == nil { + return "" + } + + return e.Err.Error() +} + // MatchPattern is a start of element-by-element pattern validation process. // It assumes that validation is started from root, so "/" is passed -func MatchPattern(logger logr.Logger, resource, pattern interface{}) (error, string) { +func MatchPattern(logger logr.Logger, resource, pattern interface{}) error { // newAnchorMap - to check anchor key has values ac := common.NewAnchorMap() elemPath, err := validateResourceElement(logger, resource, pattern, pattern, "/", ac) @@ -22,19 +37,19 @@ func MatchPattern(logger logr.Logger, resource, pattern interface{}) (error, str // if conditional or global anchors report errors, the rule does not apply to the resource if common.IsConditionalAnchorError(err.Error()) || common.IsGlobalAnchorError(err.Error()) { logger.V(3).Info("skipping resource as anchor does not apply", "msg", ac.AnchorError.Error()) - return nil, "" + return &PatternError{nil, "", true} } // check if an anchor defined in the policy rule is missing in the resource if ac.IsAnchorError() { logger.V(3).Info("missing anchor in resource") - return err, "" + return &PatternError{err, "", false} } - return err, elemPath + return &PatternError{err, elemPath, false} } - return nil, "" + return &PatternError{nil, "", false} } // validateResourceElement detects the element type (map, array, nil, string, int, bool, float) diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 9c5fcaef8f..cc33757c76 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -193,7 +193,7 @@ func (v *validator) validate() *response.RuleResponse { if err != nil { return ruleError(v.rule, "failed to evaluate preconditions", err) } else if !preconditionsPassed { - return ruleResponse(v.rule, "", response.RuleStatusSkip) + return ruleResponse(v.rule, "preconditions not met", response.RuleStatusSkip) } if v.pattern != nil || v.anyPattern != nil { @@ -222,7 +222,7 @@ func (v *validator) validateForEach() *response.RuleResponse { if err != nil { return ruleError(v.rule, "failed to evaluate preconditions", err) } else if !preconditionsPassed { - return ruleResponse(v.rule, "", response.RuleStatusSkip) + return ruleResponse(v.rule, "preconditions not met", response.RuleStatusSkip) } foreach := v.rule.Validation.ForEachValidation @@ -266,10 +266,10 @@ func (v *validator) validateForEach() *response.RuleResponse { } if applyCount == 0 { - return ruleResponse(v.rule, "", response.RuleStatusSkip) + return ruleResponse(v.rule, "rule skipped", response.RuleStatusSkip) } - return ruleResponse(v.rule, "", response.RuleStatusPass) + return ruleResponse(v.rule, "rule passed", response.RuleStatusPass) } func addElementToContext(ctx *PolicyContext, e interface{}) error { @@ -436,13 +436,16 @@ func isSameRuleResponse(r1 *response.RuleResponse, r2 *response.RuleResponse) bo // validatePatterns validate pattern and anyPattern func (v *validator) validatePatterns(resource unstructured.Unstructured) *response.RuleResponse { if v.pattern != nil { - if err, path := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { - v.log.V(3).Info("validation error", "path", path, "error", err.Error()) - if path == "" { - return ruleResponse(v.rule, v.buildErrorMessage(err, ""), response.RuleStatusError) - } + if err := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { - return ruleResponse(v.rule, v.buildErrorMessage(err, path), response.RuleStatusFail) + if pe, ok := err.(*validate.PatternError); ok{ + v.log.V(3).Info("validation error", "path", pe.Path, "error", err.Error()) + if pe.Path == "" { + return ruleResponse(v.rule, v.buildErrorMessage(err, ""), response.RuleStatusError) + } + + return ruleResponse(v.rule, v.buildErrorMessage(err, pe.Path), response.RuleStatusFail) + } } v.log.V(4).Info("successfully processed rule") @@ -461,19 +464,21 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *respon } for idx, pattern := range anyPatterns { - err, path := validate.MatchPattern(v.log, resource.Object, pattern) + err := validate.MatchPattern(v.log, resource.Object, pattern) if err == nil { msg := fmt.Sprintf("validation rule '%s' anyPattern[%d] passed.", v.rule.Name, idx) return ruleResponse(v.rule, msg, response.RuleStatusPass) } - v.log.V(3).Info("validation rule failed", "anyPattern[%d]", idx, "path", path) - if path == "" { - patternErr := fmt.Errorf("Rule %s[%d] failed: %s.", v.rule.Name, idx, err.Error()) - failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) - } else { - patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", v.rule.Name, idx, path) - failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) + if pe, ok := err.(*validate.PatternError); ok { + v.log.V(3).Info("validation rule failed", "anyPattern[%d]", idx, "path", pe.Path) + if pe.Path == "" { + patternErr := fmt.Errorf("Rule %s[%d] failed: %s.", v.rule.Name, idx, err.Error()) + failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) + } else { + patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", v.rule.Name, idx, pe.Path) + failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) + } } } From c32002837dc25bf5e611c57c1900ed34007ca9f0 Mon Sep 17 00:00:00 2001 From: Pooja Singh Date: Sat, 2 Oct 2021 00:09:29 +0530 Subject: [PATCH 25/50] supporting request object for generate policies (#2455) * supporting request object for generate policies Signed-off-by: NoSkillGirl * updated naming for operation Signed-off-by: NoSkillGirl * run make kustomize-crd Signed-off-by: NoSkillGirl --- charts/kyverno/templates/crds.yaml | 10 +++++++++ .../crds/kyverno.io_generaterequests.yaml | 10 +++++++++ definitions/install.yaml | 10 +++++++++ definitions/install_debug.yaml | 10 +++++++++ pkg/api/kyverno/v1/generaterequest_types.go | 10 +++++++++ pkg/generate/generate.go | 17 +++++++++++++++ pkg/generate/generate_controller.go | 3 +++ pkg/webhooks/generation.go | 21 ++++++++++++++----- 8 files changed, 86 insertions(+), 5 deletions(-) diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 68561fe05a..59926fc198 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -2043,6 +2043,16 @@ spec: context: description: Context ... properties: + admissionRequestInfo: + description: Adding required request information to GR + properties: + admissionRequest: + description: Adding Admission Request to GR. + type: string + operation: + description: Current request operation + type: string + type: object userInfo: description: RequestInfo contains permission info carried in an admission request. properties: diff --git a/definitions/crds/kyverno.io_generaterequests.yaml b/definitions/crds/kyverno.io_generaterequests.yaml index 9e7072c42d..6ae8b54882 100644 --- a/definitions/crds/kyverno.io_generaterequests.yaml +++ b/definitions/crds/kyverno.io_generaterequests.yaml @@ -108,6 +108,16 @@ spec: type: string type: object type: object + admissionRequestInfo: + description: Adding required request information to GR + properties: + admissionRequest: + description: Adding Admission Request to GR. + type: string + operation: + description: Current request operation + type: string + type: object type: object policy: description: Specifies the name of the policy. diff --git a/definitions/install.yaml b/definitions/install.yaml index 3ce90b1a74..afe0e7c041 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -3029,6 +3029,16 @@ spec: context: description: Context ... properties: + admissionRequestInfo: + description: Adding required request information to GR + properties: + admissionRequest: + description: Adding Admission Request to GR. + type: string + operation: + description: Current request operation + type: string + type: object userInfo: description: RequestInfo contains permission info carried in an admission request. diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 7c2f4a6aa3..63431b9574 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -2995,6 +2995,16 @@ spec: context: description: Context ... properties: + admissionRequestInfo: + description: Adding required request information to GR + properties: + admissionRequest: + description: Adding Admission Request to GR. + type: string + operation: + description: Current request operation + type: string + type: object userInfo: description: RequestInfo contains permission info carried in an admission request. diff --git a/pkg/api/kyverno/v1/generaterequest_types.go b/pkg/api/kyverno/v1/generaterequest_types.go index 7311c32d4d..8f1f53452f 100644 --- a/pkg/api/kyverno/v1/generaterequest_types.go +++ b/pkg/api/kyverno/v1/generaterequest_types.go @@ -1,6 +1,7 @@ package v1 import ( + "k8s.io/api/admission/v1beta1" authenticationv1 "k8s.io/api/authentication/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -45,6 +46,15 @@ type GenerateRequestSpec struct { type GenerateRequestContext struct { // +optional UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"` + // +optional + AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty" yaml:"admissionRequestInfo,omitempty"` +} + +type AdmissionRequestInfoObject struct { + // +optional + AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"` + // +optional + Operation v1beta1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"` } // RequestInfo contains permission info carried in an admission request. diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index bae06323e3..ccc3c66a38 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -19,6 +19,7 @@ import ( "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/engine/variables" kyvernoutils "github.com/kyverno/kyverno/pkg/utils" + "k8s.io/api/admission/v1beta1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -99,6 +100,22 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern return nil, err } + requestString := gr.Spec.Context.AdmissionRequestInfo.AdmissionRequest + var request v1beta1.AdmissionRequest + err = json.Unmarshal([]byte(requestString), &request) + if err != nil { + logger.Error(err, "error parsing the request string") + } + + if gr.Spec.Context.AdmissionRequestInfo.Operation == v1beta1.Update { + request.Operation = gr.Spec.Context.AdmissionRequestInfo.Operation + } + + if err := ctx.AddRequest(&request); err != nil { + logger.Error(err, "failed to load request in context") + return nil, err + } + resourceRaw, err := resource.MarshalJSON() if err != nil { logger.Error(err, "failed to marshal resource") diff --git a/pkg/generate/generate_controller.go b/pkg/generate/generate_controller.go index 2e4bbafe1c..a2648832dc 100644 --- a/pkg/generate/generate_controller.go +++ b/pkg/generate/generate_controller.go @@ -4,6 +4,7 @@ import ( "reflect" "time" + "k8s.io/api/admission/v1beta1" "k8s.io/client-go/kubernetes" "github.com/go-logr/logr" @@ -230,6 +231,7 @@ func (c *Controller) updateGenericResource(old, cur interface{}) { // re-evaluate the GR as the resource was updated for _, gr := range grs { + gr.Spec.Context.AdmissionRequestInfo.Operation = v1beta1.Update c.enqueueGenerateRequest(gr) } } @@ -286,6 +288,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) { // re-evaluate the GR as the policy was updated for _, gr := range grs { + gr.Spec.Context.AdmissionRequestInfo.Operation = v1beta1.Update c.enqueueGenerateRequest(gr) } } diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index d208a3569a..a644bd2ca7 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -7,6 +7,7 @@ import ( "strings" "time" + "github.com/gardener/controller-manager-library/pkg/logger" "github.com/go-logr/logr" kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" @@ -107,7 +108,7 @@ func (ws *WebhookServer) handleGenerate( } // Adds Generate Request to a channel(queue size 1000) to generators - if failedResponse := applyGenerateRequest(ws.grGenerator, userRequestInfo, request.Operation, engineResponses...); err != nil { + if failedResponse := applyGenerateRequest(request, ws.grGenerator, userRequestInfo, request.Operation, engineResponses...); err != nil { // report failure event for _, failedGR := range failedResponse { events := failedEvents(fmt.Errorf("failed to create Generate Request: %v", failedGR.err), failedGR.gr, new) @@ -418,11 +419,20 @@ func (ws *WebhookServer) deleteGR(logger logr.Logger, engineResponse *response.E } } -func applyGenerateRequest(gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo, +func applyGenerateRequest(request *v1beta1.AdmissionRequest, gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo, action v1beta1.Operation, engineResponses ...*response.EngineResponse) (failedGenerateRequest []generateRequestResponse) { + requestBytes, err := json.Marshal(request) + if err != nil { + logger.Error(err, "error loading request into context") + } + admissionRequestInfo := kyverno.AdmissionRequestInfoObject{ + AdmissionRequest: string(requestBytes), + Operation: action, + } + for _, er := range engineResponses { - gr := transform(userRequestInfo, er) + gr := transform(admissionRequestInfo, userRequestInfo, er) if err := gnGenerator.Apply(gr, action); err != nil { failedGenerateRequest = append(failedGenerateRequest, generateRequestResponse{gr: gr, err: err}) } @@ -431,7 +441,7 @@ func applyGenerateRequest(gnGenerator generate.GenerateRequests, userRequestInfo return } -func transform(userRequestInfo kyverno.RequestInfo, er *response.EngineResponse) kyverno.GenerateRequestSpec { +func transform(admissionRequestInfo kyverno.AdmissionRequestInfoObject, userRequestInfo kyverno.RequestInfo, er *response.EngineResponse) kyverno.GenerateRequestSpec { gr := kyverno.GenerateRequestSpec{ Policy: er.PolicyResponse.Policy.Name, Resource: kyverno.ResourceSpec{ @@ -441,7 +451,8 @@ func transform(userRequestInfo kyverno.RequestInfo, er *response.EngineResponse) APIVersion: er.PolicyResponse.Resource.APIVersion, }, Context: kyverno.GenerateRequestContext{ - UserRequestInfo: userRequestInfo, + UserRequestInfo: userRequestInfo, + AdmissionRequestInfo: admissionRequestInfo, }, } From e0e6074afc94f2ad26c00a6c527df46f5de448e3 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sat, 2 Oct 2021 16:53:02 -0700 Subject: [PATCH 26/50] add validation; add 'element' to context Signed-off-by: Jim Bugwadia --- pkg/engine/context/context.go | 10 +++ pkg/engine/policyContext.go | 3 + pkg/engine/validate/validate.go | 4 +- pkg/engine/validation.go | 41 +++++++++--- pkg/engine/validation_test.go | 12 ++-- pkg/engine/variables/vars.go | 14 ++++- pkg/policy/actions.go | 8 ++- pkg/policy/validate.go | 2 +- pkg/policy/validate/validate.go | 106 +++++++++++++++++++++++++++----- 9 files changed, 161 insertions(+), 39 deletions(-) diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go index 2389e0c26d..db03c1ab4c 100644 --- a/pkg/engine/context/context.go +++ b/pkg/engine/context/context.go @@ -99,6 +99,16 @@ func (ctx *Context) AddJSON(dataRaw []byte) error { return nil } +// AddJSON merges json data +func (ctx *Context) AddJSONObject(jsonData interface{}) error { + jsonBytes, err := json.Marshal(jsonData) + if err != nil { + return err + } + + return ctx.AddJSON(jsonBytes) +} + // AddRequest adds an admission request to context func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error { modifiedResource := struct { diff --git a/pkg/engine/policyContext.go b/pkg/engine/policyContext.go index dd23dad881..1d1c97f4b2 100644 --- a/pkg/engine/policyContext.go +++ b/pkg/engine/policyContext.go @@ -20,6 +20,9 @@ type PolicyContext struct { // OldResource is the prior resource for an update, or nil OldResource unstructured.Unstructured + // Element is set when the context is used for processing a foreach loop + Element unstructured.Unstructured + // AdmissionInfo contains the admission request information AdmissionInfo kyverno.RequestInfo diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index e041b71c52..b896437b9e 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -37,7 +37,7 @@ func MatchPattern(logger logr.Logger, resource, pattern interface{}) error { // if conditional or global anchors report errors, the rule does not apply to the resource if common.IsConditionalAnchorError(err.Error()) || common.IsGlobalAnchorError(err.Error()) { logger.V(3).Info("skipping resource as anchor does not apply", "msg", ac.AnchorError.Error()) - return &PatternError{nil, "", true} + return &PatternError{err, "", true} } // check if an anchor defined in the policy rule is missing in the resource @@ -49,7 +49,7 @@ func MatchPattern(logger logr.Logger, resource, pattern interface{}) error { return &PatternError{err, elemPath, false} } - return &PatternError{nil, "", false} + return nil } // validateResourceElement detects the element type (map, array, nil, string, int, bool, float) diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index cc33757c76..8d64ef89ce 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -278,13 +278,17 @@ func addElementToContext(ctx *PolicyContext, e interface{}) error { return err } + jsonData := map[string]interface{}{ + "element": data, + } + + if err := ctx.JSONContext.AddJSONObject(jsonData); err != nil { + return errors.Wrapf(err, "failed to add element (%v) to JSON context", e) + } + u := unstructured.Unstructured{} u.SetUnstructuredContent(data) - ctx.NewResource = u - - if err := ctx.JSONContext.AddResourceAsObject(e); err != nil { - return errors.Wrapf(err, "failed to add resource (%v) to JSON context", e) - } + ctx.Element = u return nil } @@ -375,12 +379,17 @@ func (v *validator) getDenyMessage(deny bool) string { } func (v *validator) validateResourceWithRule() *response.RuleResponse { - if reflect.DeepEqual(v.ctx.OldResource, unstructured.Unstructured{}) { + if !isEmptyUnstructured(&v.ctx.Element) { + resp := v.validatePatterns(v.ctx.Element) + return resp + } + + if !isEmptyUnstructured(&v.ctx.OldResource) { resp := v.validatePatterns(v.ctx.NewResource) return resp } - if reflect.DeepEqual(v.ctx.NewResource, unstructured.Unstructured{}) { + if isEmptyUnstructured(&v.ctx.NewResource) { v.log.V(3).Info("skipping validation on deleted resource") return nil } @@ -395,6 +404,18 @@ func (v *validator) validateResourceWithRule() *response.RuleResponse { return newResp } +func isEmptyUnstructured(u *unstructured.Unstructured) bool { + if u == nil { + return true + } + + if reflect.DeepEqual(*u, unstructured.Unstructured{}) { + return true + } + + return false +} + // matches checks if either the new or old resource satisfies the filter conditions defined in the rule func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool { err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) @@ -525,9 +546,9 @@ func (v *validator) buildErrorMessage(err error, path string) string { return fmt.Sprintf("validation error: rule %s execution error: %s", v.rule.Name, err.Error()) } - msgRaw, err := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.rule.Validation.Message) - if err != nil { - v.log.Info("failed to substitute variables in message: %v", err) + msgRaw, sErr := variables.SubstituteAll(v.log, v.ctx.JSONContext, v.rule.Validation.Message) + if sErr != nil { + v.log.Info("failed to substitute variables in message: %v", sErr) } msg := msgRaw.(string) diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 259d3c1666..63b73feff7 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -2514,7 +2514,7 @@ func Test_foreach_container_deny_fail(t *testing.T) { "list": "request.object.spec.template.spec.containers", "deny": { "conditions": [ - {"key": "{{ regex_match('{{request.object.image}}', 'docker.io') }}", "operator": "Equals", "value": false} + {"key": "{{ regex_match('{{element.image}}', 'docker.io') }}", "operator": "Equals", "value": false} ] } } @@ -2550,7 +2550,7 @@ func Test_foreach_container_deny_success(t *testing.T) { "list": "request.object.spec.template.spec.containers", "deny": { "conditions": [ - {"key": "{{ regex_match('{{request.object.image}}', 'docker.io') }}", "operator": "Equals", "value": false} + {"key": "{{ regex_match('{{element.image}}', 'docker.io') }}", "operator": "Equals", "value": false} ] } } @@ -2623,14 +2623,14 @@ func Test_foreach_context_preconditions(t *testing.T) { "context": [{"name": "img", "configMap": {"name": "mycmap", "namespace": "default"}}], "preconditions": { "all": [ { - "key": "{{request.object.name}}", + "key": "{{element.name}}", "operator": "In", "value": ["podvalid"] } ]}, "deny": { "conditions": [ - {"key": "{{ request.object.image }}", "operator": "NotEquals", "value": "{{ img.data.{{ request.object.name }} }}"} + {"key": "{{ element.image }}", "operator": "NotEquals", "value": "{{ img.data.{{ element.name }} }}"} ] } } @@ -2687,14 +2687,14 @@ func Test_foreach_context_preconditions_fail(t *testing.T) { "context": [{"name": "img", "configMap": {"name": "mycmap", "namespace": "default"}}], "preconditions": { "all": [ { - "key": "{{request.object.name}}", + "key": "{{element.name}}", "operator": "In", "value": ["podvalid", "podinvalid"] } ]}, "deny": { "conditions": [ - {"key": "{{ request.object.image }}", "operator": "NotEquals", "value": "{{ img.data.{{ request.object.name }} }}"} + {"key": "{{ element.image }}", "operator": "NotEquals", "value": "{{ img.data.{{ element.name }} }}"} ] } } diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index 33e078d934..ab019ff951 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -270,6 +270,8 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface, vr Var return data.Element, nil } + isDeleteRequest := isDeleteRequest(ctx) + vars := RegexVariables.FindAllString(value, -1) for len(vars) > 0 { originalPattern := value @@ -281,8 +283,7 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface, vr Var variable = strings.Replace(variable, "@", fmt.Sprintf("request.object.%s", getJMESPath(data.Path)), -1) } - operation, err := ctx.Query("request.operation") - if err == nil && operation == "DELETE" { + if isDeleteRequest { variable = strings.ReplaceAll(variable, "request.object", "request.oldObject") } @@ -318,6 +319,15 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface, vr Var }) } +func isDeleteRequest(ctx context.EvalInterface) bool { + operation, err := ctx.Query("request.operation") + if err == nil && operation == "DELETE" { + return true + } + + return false +} + // getJMESPath converts path to JMES format func getJMESPath(rawPath string) string { tokens := strings.Split(rawPath, "/")[3:] // skip empty element and two non-resource (like mutate.overlay) diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go index bfd449d1e0..fa674817a3 100644 --- a/pkg/policy/actions.go +++ b/pkg/policy/actions.go @@ -21,7 +21,11 @@ type Validation interface { // - Mutate // - Validation // - Generate -func validateActions(idx int, rule kyverno.Rule, client *dclient.Client, mock bool) error { +func validateActions(idx int, rule *kyverno.Rule, client *dclient.Client, mock bool) error { + if rule == nil { + return nil + } + var checker Validation // Mutate @@ -34,7 +38,7 @@ func validateActions(idx int, rule kyverno.Rule, client *dclient.Client, mock bo // Validate if rule.HasValidate() { - checker = validate.NewValidateFactory(rule.Validation) + checker = validate.NewValidateFactory(&rule.Validation) if path, err := checker.Validate(); err != nil { return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err) } diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index b5835da1fe..b3160b19f2 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -148,7 +148,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, // - Mutate // - Validate // - Generate - if err := validateActions(i, rule, client, mock); err != nil { + if err := validateActions(i, &rule, client, mock); err != nil { return err } diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go index d04646bad1..664e879ce9 100644 --- a/pkg/policy/validate/validate.go +++ b/pkg/policy/validate/validate.go @@ -2,42 +2,43 @@ package validate import ( "fmt" + "strings" kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor/common" "github.com/kyverno/kyverno/pkg/policy/common" ) -// Validate provides implementation to validate 'validate' rule +// Validate validates a 'validate' rule type Validate struct { // rule to hold 'validate' rule specifications - rule kyverno.Validation + rule *kyverno.Validation } //NewValidateFactory returns a new instance of Mutate validation checker -func NewValidateFactory(rule kyverno.Validation) *Validate { +func NewValidateFactory(rule *kyverno.Validation) *Validate { m := Validate{ rule: rule, } + return &m } //Validate validates the 'validate' rule func (v *Validate) Validate() (string, error) { - rule := v.rule - if err := v.validateOverlayPattern(); err != nil { + if err := v.validateElements(); err != nil { // no need to proceed ahead return "", err } - if rule.Pattern != nil { - if path, err := common.ValidatePattern(rule.Pattern, "/", []commonAnchors.IsAnchor{commonAnchors.IsConditionAnchor, commonAnchors.IsExistenceAnchor, commonAnchors.IsEqualityAnchor, commonAnchors.IsNegationAnchor, commonAnchors.IsGlobalAnchor}); err != nil { + if v.rule.Pattern != nil { + if path, err := common.ValidatePattern(v.rule.Pattern, "/", []commonAnchors.IsAnchor{commonAnchors.IsConditionAnchor, commonAnchors.IsExistenceAnchor, commonAnchors.IsEqualityAnchor, commonAnchors.IsNegationAnchor, commonAnchors.IsGlobalAnchor}); err != nil { return fmt.Sprintf("pattern.%s", path), err } } - if rule.AnyPattern != nil { - anyPattern, err := rule.DeserializeAnyPattern() + if v.rule.AnyPattern != nil { + anyPattern, err := v.rule.DeserializeAnyPattern() if err != nil { return "anyPattern", fmt.Errorf("failed to deserialize anyPattern, expect array: %v", err) } @@ -47,19 +48,92 @@ func (v *Validate) Validate() (string, error) { } } } + + if v.rule.ForEachValidation != nil { + if err := v.validateForEach(v.rule.ForEachValidation); err != nil { + return "", err + } + } + return "", nil } -// validateOverlayPattern checks one of pattern/anyPattern must exist -func (v *Validate) validateOverlayPattern() error { - rule := v.rule - if rule.Pattern == nil && rule.AnyPattern == nil && rule.Deny == nil { - return fmt.Errorf("pattern, anyPattern or deny must be specified") +func (v *Validate) validateElements() error { + count := validationElemCount(v.rule) + if count == 0 { + return fmt.Errorf("one of pattern, anyPattern, deny, foreach must be specified") } - if rule.Pattern != nil && rule.AnyPattern != nil { - return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)") + if count > 1 { + return fmt.Errorf("only one of pattern, anyPattern, deny, foreach can be specified") } return nil } + +func validationElemCount(v *kyverno.Validation) int { + if v == nil { + return 0 + } + + count := 0 + if v.Pattern != nil { + count++ + } + + if v.AnyPattern != nil { + count++ + } + + if v.Deny != nil { + count++ + } + + if v.ForEachValidation != nil { + count++ + } + + return count +} + +func (v *Validate) validateForEach(foreach *kyverno.ForEachValidation) error { + if foreach.List == "" { + return fmt.Errorf("foreach.list is required") + } + + if !strings.HasPrefix(foreach.List, "request.object") { + return fmt.Errorf("foreach.list must start with 'request.object' e.g. 'request.object.spec.containers'.") + } + + count := foreachElemCount(foreach) + if count == 0 { + return fmt.Errorf("one of pattern, anyPattern, deny must be specified") + } + + if count > 1 { + return fmt.Errorf("only one of pattern, anyPattern, deny can be specified") + } + + return nil +} + +func foreachElemCount(foreach *kyverno.ForEachValidation) int { + if foreach == nil { + return 0 + } + + count := 0 + if foreach.Pattern != nil { + count++ + } + + if foreach.AnyPattern != nil { + count++ + } + + if foreach.Deny != nil { + count++ + } + + return count +} From 89d1e4afabf90603202c0dd0d95fac3c0fede3dc Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sat, 2 Oct 2021 16:57:40 -0700 Subject: [PATCH 27/50] format Signed-off-by: Jim Bugwadia --- pkg/engine/validate/validate.go | 3 +-- pkg/engine/validation.go | 2 +- pkg/policy/validate/validate.go | 4 ++-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index b896437b9e..3ab332a5ee 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -12,9 +12,8 @@ import ( "github.com/kyverno/kyverno/pkg/engine/wildcards" ) - type PatternError struct { - Err error + Err error Path string Skip bool } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 8d64ef89ce..0304f45f71 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -459,7 +459,7 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *respon if v.pattern != nil { if err := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { - if pe, ok := err.(*validate.PatternError); ok{ + if pe, ok := err.(*validate.PatternError); ok { v.log.V(3).Info("validation error", "path", pe.Path, "error", err.Error()) if pe.Path == "" { return ruleResponse(v.rule, v.buildErrorMessage(err, ""), response.RuleStatusError) diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go index 664e879ce9..c44aaaa1a2 100644 --- a/pkg/policy/validate/validate.go +++ b/pkg/policy/validate/validate.go @@ -60,7 +60,7 @@ func (v *Validate) Validate() (string, error) { func (v *Validate) validateElements() error { count := validationElemCount(v.rule) - if count == 0 { + if count == 0 { return fmt.Errorf("one of pattern, anyPattern, deny, foreach must be specified") } @@ -106,7 +106,7 @@ func (v *Validate) validateForEach(foreach *kyverno.ForEachValidation) error { } count := foreachElemCount(foreach) - if count == 0 { + if count == 0 { return fmt.Errorf("one of pattern, anyPattern, deny must be specified") } From 8b7d404ea24e37a870c504008d1206768890bd24 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sat, 2 Oct 2021 18:29:25 -0700 Subject: [PATCH 28/50] generate CRDs and validate handling of skip/error Signed-off-by: Jim Bugwadia --- charts/kyverno/templates/crds.yaml | 3633 +++++++++++++---- .../crds/kyverno.io_clusterpolicies.yaml | 154 + definitions/crds/kyverno.io_policies.yaml | 154 + definitions/install.yaml | 3527 ++++------------ definitions/install_debug.yaml | 3527 ++++------------ pkg/api/kyverno/v1/policy_types.go | 1 + pkg/engine/response/response.go | 8 +- 7 files changed, 5032 insertions(+), 5972 deletions(-) diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 68561fe05a..2f9bd41a05 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -40,13 +40,18 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -54,32 +59,58 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. enum: - Ignore - Fail type: string rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -102,25 +133,36 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -128,29 +170,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -162,30 +234,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -197,31 +299,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -231,22 +354,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -254,29 +385,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -288,30 +449,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -323,31 +514,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -357,17 +569,23 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -375,29 +593,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -409,30 +650,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -444,31 +709,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -483,7 +768,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -493,7 +781,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -505,29 +796,46 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -535,29 +843,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -569,30 +907,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -604,31 +972,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -638,22 +1027,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -661,29 +1058,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -695,30 +1122,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -730,31 +1187,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -764,17 +1242,24 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -782,29 +1267,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -816,30 +1324,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -851,31 +1383,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -887,18 +1439,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -911,62 +1470,251 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail a validation rule. + description: Deny defines conditions used to pass or fail + a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies policy rule checks to nested + elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap reference + or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to + the Kubernetes API server. The JSON data retrieved + is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server response + to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be + used in the HTTP GET request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that + results in one or more elements to which the validation + logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if + a policy rule should be applied by evaluating a set + of conditions. The declaration can contain nested + `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures and mutate them to add a digest + description: VerifyImages is used to verify image signatures + and mutate them to add a digest items: - description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the + registry address, repository, image, and tag. Wildcards + (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the image is signed with. + description: Key is the PEM encoded public key that the + image is signed with. type: string repository: - description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation. + description: Repository is an optional alternate OCI repository + to use for image signatures that match this rule. If + specified Repository will override the default OCI image + repository configured for the installation. type: string type: object type: array type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. + The default value is set to "true", it must be set to "false" to + disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. format: int32 type: integer type: object @@ -974,7 +1722,8 @@ spec: description: Status contains policy runtime data. properties: ready: - description: Ready indicates if the policy is ready to serve the admission request + description: Ready indicates if the policy is ready to serve the admission + request type: boolean required: - ready @@ -1049,20 +1798,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -1070,30 +1825,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1105,19 +1876,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1129,7 +1939,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1163,13 +1974,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1181,28 +2002,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1214,26 +2046,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1270,26 +2110,33 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy @@ -1297,24 +2144,39 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Properties provides additional information for the + policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1326,19 +2188,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1350,7 +2251,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1380,17 +2282,24 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that manages this report + description: Source is an identifier for the policy engine that + manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -1402,13 +2311,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1420,28 +2339,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1453,26 +2383,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1542,20 +2480,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -1563,30 +2507,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1598,19 +2558,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1622,7 +2621,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1656,13 +2656,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1674,28 +2684,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1707,26 +2728,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -1763,26 +2792,33 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy @@ -1790,24 +2826,39 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Properties provides additional information for the + policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -1819,19 +2870,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1843,7 +2933,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1873,17 +2964,24 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that manages this report + description: Source is an identifier for the policy engine that + manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -1895,13 +2993,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1913,28 +3021,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -1946,26 +3065,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -2030,10 +3157,14 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -2044,10 +3175,12 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an admission request. + description: RequestInfo contains permission info carried in an + admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles send the request. + description: ClusterRoles is a list of possible clusterRoles + send the request. items: type: string nullable: true @@ -2059,15 +3192,18 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission request. + description: UserInfo is the userInfo carried in the admission + request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf can generate + description: ExtraValue masks the value so protobuf + can generate items: type: string type: array - description: Any additional information provided by the authenticator. + description: Any additional information provided by the + authenticator. type: object groups: description: The names of groups this user is a part of. @@ -2075,10 +3211,14 @@ spec: type: string type: array uid: - description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. + description: A unique value that identifies this user + across time. If this user is deleted and another user + by the same name is added, they will have different + UIDs. type: string username: - description: The name that uniquely identifies this user among all active users. + description: The name that uniquely identifies this user + among all active users. type: string type: object type: object @@ -2087,7 +3227,8 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate request. + description: ResourceSpec is the information to identify the generate + request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -2111,7 +3252,8 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the + generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -2194,13 +3336,19 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -2208,32 +3356,58 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: background: - description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. + description: FailurePolicy defines how unrecognized errors from the + admission endpoint are handled. Rules within the same policy share + the same failure behavior. Allowed values are Ignore or Fail. Defaults + to Fail. enum: - Ignore - Fail type: string rules: - description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. properties: context: - description: Context defines variables and data sources that can be used during rule execution. + description: Context defines variables and data sources that + can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + description: APICall defines an HTTP request to the Kubernetes + API server. The JSON data retrieved is stored in the + context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the API server. For example a JMESPath + of "items | length(@)" applied to the API server + response to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + description: URLPath is the URL path to be used in + the HTTP GET request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. type: string required: - urlPath @@ -2256,25 +3430,36 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2282,29 +3467,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2316,30 +3531,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2351,31 +3596,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2385,22 +3651,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2408,29 +3682,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2442,30 +3746,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2477,31 +3811,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2511,17 +3866,23 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2529,29 +3890,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2563,30 +3947,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2598,31 +4006,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -2637,7 +4065,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -2647,7 +4078,10 @@ spec: type: string type: object data: - description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -2659,29 +4093,46 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. properties: all: - description: All allows specifying resources which will be ANDed + description: All allows specifying resources which will + be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2689,29 +4140,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2723,30 +4204,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2758,31 +4269,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2792,22 +4324,30 @@ spec: type: object type: array any: - description: Any allows specifying resources which will be ORed + description: Any allows specifying resources which will + be ORed items: - description: ResourceFilters allow users to "AND" or "OR" between resources + description: ResourceFilters allow users to "AND" or "OR" + between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide + role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information + about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2815,29 +4355,59 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2849,30 +4419,60 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that + the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. items: type: string type: array @@ -2884,31 +4484,52 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role + names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names + like users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2918,17 +4539,24 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role names for the user. + description: ClusterRoles is the list of cluster-wide role + names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2936,29 +4564,52 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Name is the name of the resource. The name + supports wildcard characters "*" (matches zero or + many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -2970,30 +4621,54 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. items: type: string type: array @@ -3005,31 +4680,51 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names for the user. + description: Roles is the list of namespaced role names + for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like users, user groups, and service accounts. + description: Subjects is the list of subject names like + users, user groups, and service accounts. items: - description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. type: string kind: - description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. type: string required: - kind @@ -3041,18 +4736,25 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify + resources. DEPRECATED. Use PatchStrategicMerge instead. + Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to + modify resources. DEPRECATED. Use PatchesJSON6902 instead. + Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported + by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -3065,70 +4767,261 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be unique within the policy. + description: Name is a label to identify the rule, It must be + unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail a validation rule. + description: Deny defines conditions used to pass or fail + a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies policy rule checks to nested + elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap reference + or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to + the Kubernetes API server. The JSON data retrieved + is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server response + to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be + used in the HTTP GET request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that + results in one or more elements to which the validation + logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if + a policy rule should be applied by evaluating a set + of conditions. The declaration can contain nested + `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed on failure. + description: Message specifies a custom message to be displayed + on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern used to check resources. + description: Pattern specifies an overlay-style pattern + used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures and mutate them to add a digest + description: VerifyImages is used to verify image signatures + and mutate them to add a digest items: - description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the + registry address, repository, image, and tag. Wildcards + (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the image is signed with. + description: Key is the PEM encoded public key that the + image is signed with. type: string repository: - description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation. + description: Repository is an optional alternate OCI repository + to use for image signatures that match this rule. If + specified Repository will override the default OCI image + repository configured for the installation. type: string type: object type: array type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. + The default value is set to "true", it must be set to "false" to + disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy + rule failure should disallow the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the webhook timeout for + this policy. After the timeout passes, the admission request will + fail based on the failure policy. The default timeout is 3s, the + value must be between 1 and 30 seconds. Default to 10 seconds. format: int32 type: integer type: object status: - description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint + description: Status contains policy runtime information. Deprecated. Policy + metrics are available via the metrics endpoint properties: ready: - description: Ready indicates if the policy is ready to serve the admission request + description: Ready indicates if the policy is ready to serve the admission + request type: boolean required: - ready @@ -3206,17 +5099,22 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -3224,30 +5122,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -3259,19 +5173,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3283,7 +5236,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -3317,13 +5271,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3335,28 +5299,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -3368,26 +5343,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -3427,23 +5410,29 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy @@ -3451,24 +5440,39 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Properties provides additional information for the + policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -3480,19 +5484,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3504,7 +5547,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -3534,17 +5578,24 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that manages this report + description: Source is an identifier for the policy engine that + manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3556,13 +5607,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3574,28 +5635,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -3607,26 +5679,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -3696,20 +5776,26 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests API + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category @@ -3717,30 +5803,46 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy rule + description: Data provides additional information for the policy + rule type: object message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -3752,19 +5854,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3776,7 +5917,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -3810,13 +5952,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3828,28 +5980,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -3861,26 +6024,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object @@ -3917,26 +6088,33 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests API + description: ReportChangeRequest is the Schema for the ReportChangeRequests + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual policy + description: PolicyReportResult provides the result for an individual + policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the policy rule + description: Message is a short user friendly description of the + policy rule type: string policy: description: Policy is the name of the policy @@ -3944,24 +6122,39 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the policy rule + description: Properties provides additional information for the + policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy + results that apply to multiple resources. For example, a policy + result may apply to all pods that match a label. Either a Resource + or a ResourceSelector can be specified. If neither are provided, + the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. items: type: string type: array @@ -3973,19 +6166,58 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource checked by the policy and rule + description: Resources is an optional reference to the resource + checked by the policy and rule items: - description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' + description: 'ObjectReference contains enough information to let + you inspect or modify the referred object. --- New uses of this + type are discouraged because of difficulty describing its usage + when embedded in APIs. 1. Ignored fields. It includes many + fields which are not generally honored. For instance, ResourceVersion + and FieldPath are both very rarely valid in actual usage. 2. + Invalid usage help. It is impossible to add specific help for + individual usage. In most embedded usages, there are particular restrictions + like, "must refer only to types A and B" or "UID not honored" + or "name must be restricted". Those cannot be well described + when embedded. 3. Inconsistent validation. Because the usages + are different, the validation rules are different by usage, + which makes it hard for users to predict what will happen. 4. + The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during + interpretation and require a REST mapping. In most cases, the + dependency is on the group,resource tuple and the version + of the actual struct is irrelevant. 5. We cannot easily change + it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don''t make + new APIs embed an underspecified API type they do not control. + Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead + of an entire object, this string should contain a valid + JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part + of an object. TODO: this design is not final and this field + is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -3997,7 +6229,8 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -4027,17 +6260,24 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that manages this report + description: Source is an identifier for the policy engine that + manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond + resolution. Negative second values with fractions must still + have non-negative nanos values that count forward in time. + Must be from 0 to 999,999,999 inclusive. This field may be + limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -4049,13 +6289,23 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. + a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire + object, this string should contain a valid JSON/Go field access + statement, such as desiredState.manifest.containers[2]. For example, + if the object reference is to a container within a pod, this would + take on a value like: "spec.containers{name}" (where "name" refers + to the name of the container that triggered the event) or if no + container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined + way of referencing a part of an object. TODO: this design is not + final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -4067,28 +6317,39 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. + description: ScopeSelector is an optional selector for multiple scopes + (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector + should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector applies + to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. items: type: string type: array @@ -4100,26 +6361,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be evaluated + description: Error provides the count of policies that could not be + evaluated type: integer fail: - description: Fail provides the count of policies whose requirements were not met + description: Fail provides the count of policies whose requirements + were not met type: integer pass: - description: Pass provides the count of policies whose requirements were met + description: Pass provides the count of policies whose requirements + were met type: integer skip: - description: Skip indicates the count of policies that were not selected for evaluation + description: Skip indicates the count of policies that were not selected + for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements were not met + description: Warn provides the count of unscored policies whose requirements + were not met type: integer type: object type: object diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml index 89805ce407..27fb8fe9b8 100644 --- a/definitions/crds/kyverno.io_clusterpolicies.yaml +++ b/definitions/crds/kyverno.io_clusterpolicies.yaml @@ -1502,6 +1502,160 @@ spec: in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' x-kubernetes-preserve-unknown-fields: true type: object + foreach: + description: ForEach applies policy rule checks to nested + elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap reference + or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to + the Kubernetes API server. The JSON data retrieved + is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server response + to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be + used in the HTTP GET request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that + results in one or more elements to which the validation + logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if + a policy rule should be applied by evaluating a set + of conditions. The declaration can contain nested + `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object message: description: Message specifies a custom message to be displayed on failure. diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml index 2b214b4bbc..5dac0ab41b 100644 --- a/definitions/crds/kyverno.io_policies.yaml +++ b/definitions/crds/kyverno.io_policies.yaml @@ -1503,6 +1503,160 @@ spec: in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' x-kubernetes-preserve-unknown-fields: true type: object + foreach: + description: ForEach applies policy rule checks to nested + elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap reference + or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to + the Kubernetes API server. The JSON data retrieved + is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the API + server. For example a JMESPath of "items + | length(@)" applied to the API server response + to the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be + used in the HTTP GET request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that + results in one or more elements to which the validation + logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if + a policy rule should be applied by evaluating a set + of conditions. The declaration can contain nested + `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, all of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to + perform. Valid operators are Equals, NotEquals, + In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object message: description: Message specifies a custom message to be displayed on failure. diff --git a/definitions/install.yaml b/definitions/install.yaml index 3ce90b1a74..52b7f80059 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -52,18 +52,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -71,58 +66,32 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the - admission endpoint are handled. Rules within the same policy share - the same failure behavior. Allowed values are Ignore or Fail. Defaults - to Fail. + description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. type: string required: - urlPath @@ -145,36 +114,25 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -182,59 +140,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -246,60 +174,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -311,52 +209,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -366,30 +243,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -397,59 +266,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -461,60 +300,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -526,52 +335,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -581,23 +369,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -605,52 +387,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -662,54 +421,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -721,51 +456,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -780,10 +495,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -793,10 +505,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -808,46 +517,29 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -855,59 +547,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -919,60 +581,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -984,52 +616,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1039,30 +650,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1070,59 +673,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1134,60 +707,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1199,52 +742,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1254,24 +776,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1279,52 +794,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1336,54 +828,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1395,51 +863,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1451,25 +899,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1482,97 +923,163 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail - a validation rule. + description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies policy rule checks to nested elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest + description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the - image is signed with. + description: Key is the PEM encoded public key that the image is signed with. type: string repository: - description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. + description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation. type: string type: object type: array type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. - The default value is set to "true", it must be set to "false" to - disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. format: int32 type: integer type: object @@ -1580,8 +1087,7 @@ spec: description: Status contains policy runtime data. properties: ready: - description: Ready indicates if the policy is ready to serve the admission - request + description: Ready indicates if the policy is ready to serve the admission request type: boolean required: - ready @@ -1655,26 +1161,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1682,46 +1182,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1733,58 +1217,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1796,8 +1241,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1831,23 +1275,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1859,39 +1293,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1903,34 +1326,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1967,33 +1382,26 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -2001,39 +1409,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2045,58 +1438,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2108,8 +1462,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2139,24 +1492,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2168,23 +1514,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2196,39 +1532,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2240,34 +1565,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2336,26 +1653,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2363,46 +1674,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2414,58 +1709,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2477,8 +1733,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2512,23 +1767,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2540,39 +1785,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2584,34 +1818,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2648,33 +1874,26 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -2682,39 +1901,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2726,58 +1930,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2789,8 +1954,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2820,24 +1984,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2849,23 +2006,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2877,39 +2024,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2921,34 +2057,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -3012,14 +2140,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -3030,12 +2154,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -3047,18 +2169,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -3066,14 +2185,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -3082,8 +2197,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -3107,8 +2221,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -3190,19 +2303,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -3210,58 +2317,32 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the - admission endpoint are handled. Rules within the same policy share - the same failure behavior. Allowed values are Ignore or Fail. Defaults - to Fail. + description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. type: string required: - urlPath @@ -3284,36 +2365,25 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3321,59 +2391,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3385,60 +2425,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3450,52 +2460,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -3505,30 +2494,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3536,59 +2517,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3600,60 +2551,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3665,52 +2586,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -3720,23 +2620,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3744,52 +2638,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3801,54 +2672,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3860,51 +2707,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -3919,10 +2746,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -3932,10 +2756,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -3947,46 +2768,29 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3994,59 +2798,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4058,60 +2832,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4123,52 +2867,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -4178,30 +2901,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4209,59 +2924,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4273,60 +2958,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4338,52 +2993,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -4393,24 +3027,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4418,52 +3045,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4475,54 +3079,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4534,51 +3114,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -4590,25 +3150,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -4621,107 +3174,171 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail - a validation rule. + description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies policy rule checks to nested elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest + description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the - image is signed with. + description: Key is the PEM encoded public key that the image is signed with. type: string repository: - description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. + description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation. type: string type: object type: array type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. - The default value is set to "true", it must be set to "false" to - disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. format: int32 type: integer type: object status: - description: Status contains policy runtime information. Deprecated. Policy - metrics are available via the metrics endpoint + description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: ready: - description: Ready indicates if the policy is ready to serve the admission - request + description: Ready indicates if the policy is ready to serve the admission request type: boolean required: - ready @@ -4798,22 +3415,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -4821,46 +3433,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4872,58 +3468,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -4935,8 +3492,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -4970,23 +3526,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -4998,39 +3544,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5042,34 +3577,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -5109,29 +3636,23 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -5139,39 +3660,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5183,58 +3689,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5246,8 +3713,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -5277,24 +3743,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -5306,23 +3765,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5334,39 +3783,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5378,34 +3816,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -5474,26 +3904,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -5501,46 +3925,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5552,58 +3960,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5615,8 +3984,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -5650,23 +4018,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5678,39 +4036,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5722,34 +4069,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -5786,33 +4125,26 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -5820,39 +4152,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5864,58 +4181,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5927,8 +4205,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -5958,24 +4235,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -5987,23 +4257,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -6015,39 +4275,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -6059,34 +4308,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 7c2f4a6aa3..db147aed2a 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -39,18 +39,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -58,58 +53,32 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the - admission endpoint are handled. Rules within the same policy share - the same failure behavior. Allowed values are Ignore or Fail. Defaults - to Fail. + description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. type: string required: - urlPath @@ -132,36 +101,25 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -169,59 +127,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -233,60 +161,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -298,52 +196,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -353,30 +230,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -384,59 +253,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -448,60 +287,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -513,52 +322,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -568,23 +356,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -592,52 +374,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -649,54 +408,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -708,51 +443,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -767,10 +482,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -780,10 +492,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -795,46 +504,29 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -842,59 +534,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -906,60 +568,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -971,52 +603,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1026,30 +637,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1057,59 +660,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1121,60 +694,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1186,52 +729,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1241,24 +763,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1266,52 +781,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1323,54 +815,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1382,51 +850,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1438,25 +886,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1469,97 +910,163 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail - a validation rule. + description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies policy rule checks to nested elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest + description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the - image is signed with. + description: Key is the PEM encoded public key that the image is signed with. type: string repository: - description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. + description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation. type: string type: object type: array type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. - The default value is set to "true", it must be set to "false" to - disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. format: int32 type: integer type: object @@ -1567,8 +1074,7 @@ spec: description: Status contains policy runtime data. properties: ready: - description: Ready indicates if the policy is ready to serve the admission - request + description: Ready indicates if the policy is ready to serve the admission request type: boolean required: - ready @@ -1635,26 +1141,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1662,46 +1162,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1713,58 +1197,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1776,8 +1221,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1811,23 +1255,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1839,39 +1273,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1883,34 +1306,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1947,33 +1362,26 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -1981,39 +1389,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2025,58 +1418,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2088,8 +1442,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2119,24 +1472,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2148,23 +1494,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2176,39 +1512,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2220,34 +1545,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2309,26 +1626,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2336,46 +1647,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2387,58 +1682,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2450,8 +1706,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2485,23 +1740,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2513,39 +1758,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2557,34 +1791,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2621,33 +1847,26 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -2655,39 +1874,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2699,58 +1903,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2762,8 +1927,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2793,24 +1957,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -2822,23 +1979,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2850,39 +1997,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2894,34 +2030,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2978,14 +2106,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -2996,12 +2120,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -3013,18 +2135,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -3032,14 +2151,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -3048,8 +2163,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -3073,8 +2187,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -3149,19 +2262,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -3169,58 +2276,32 @@ spec: description: Spec defines policy behaviors and contains one or more rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unrecognized errors from the - admission endpoint are handled. Rules within the same policy share - the same failure behavior. Allowed values are Ignore or Fail. Defaults - to Fail. + description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. properties: jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the API server. For example a JMESPath - of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string urlPath: - description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. type: string required: - urlPath @@ -3243,36 +2324,25 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3280,59 +2350,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3344,60 +2384,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3409,52 +2419,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -3464,30 +2453,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3495,59 +2476,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3559,60 +2510,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3624,52 +2545,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -3679,23 +2579,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3703,52 +2597,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3760,54 +2631,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -3819,51 +2666,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -3878,10 +2705,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -3891,10 +2715,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -3906,46 +2727,29 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: all: - description: All allows specifying resources which will - be ANDed + description: All allows specifying resources which will be ANDed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3953,59 +2757,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4017,60 +2791,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4082,52 +2826,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -4137,30 +2860,22 @@ spec: type: object type: array any: - description: Any allows specifying resources which will - be ORed + description: Any allows specifying resources which will be ORed items: - description: ResourceFilters allow users to "AND" or "OR" - between resources + description: ResourceFilters allow users to "AND" or "OR" between resources properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide - role names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4168,59 +2883,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4232,60 +2917,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of - label selector requirements. The requirements - are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that - the selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4297,52 +2952,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role - names for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names - like users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty - the Authorizer should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -4352,24 +2986,17 @@ spec: type: object type: array clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4377,52 +3004,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string names: - description: 'Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: 'Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4434,54 +3038,30 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4493,51 +3073,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -4549,25 +3109,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -4580,107 +3133,171 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. A direct list of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' x-kubernetes-preserve-unknown-fields: true validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions used to pass or fail - a validation rule. + description: Deny defines conditions used to pass or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies policy rule checks to nested elements. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided. + properties: + apiCall: + description: APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. + properties: + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of "items | length(@)" applied to the API server response to the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. + type: string + urlPath: + description: URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + type: string + required: + - urlPath + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + name: + description: Name is the variable name. + type: string + type: object + type: array + deny: + description: Deny defines conditions used to pass or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under an `any` or `all` statement. A direct list of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + list: + description: List specifies a JMESPath expression that results in one or more elements to which the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'Preconditions are used to determine if a policy rule should be applied by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass + items: + description: Condition defines variable-based conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + operator: + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. + enum: + - Equals + - NotEquals + - In + - NotIn + type: string + value: + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object verifyImages: - description: VerifyImages is used to verify image signatures - and mutate them to add a digest + description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: ImageVerification validates that images that match the specified pattern are signed with the supplied public key. Once the image is verified it is mutated to include the SHA digest retrieved during the registration. properties: image: - description: 'Image is the image name consisting of the - registry address, repository, image, and tag. Wildcards - (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: 'Image is the image name consisting of the registry address, repository, image, and tag. Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' type: string key: - description: Key is the PEM encoded public key that the - image is signed with. + description: Key is the PEM encoded public key that the image is signed with. type: string repository: - description: Repository is an optional alternate OCI repository - to use for image signatures that match this rule. If - specified Repository will override the default OCI image - repository configured for the installation. + description: Repository is an optional alternate OCI repository to use for image signatures that match this rule. If specified Repository will override the default OCI image repository configured for the installation. type: string type: object type: array type: object type: array schemaValidation: - description: SchemaValidation skips policy validation checks. Optional. - The default value is set to "true", it must be set to "false" to - disable the validation checks. + description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. format: int32 type: integer type: object status: - description: Status contains policy runtime information. Deprecated. Policy - metrics are available via the metrics endpoint + description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: ready: - description: Ready indicates if the policy is ready to serve the admission - request + description: Ready indicates if the policy is ready to serve the admission request type: boolean required: - ready @@ -4750,22 +3367,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -4773,46 +3385,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4824,58 +3420,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -4887,8 +3444,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -4922,23 +3478,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -4950,39 +3496,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -4994,34 +3529,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -5061,29 +3588,23 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -5091,39 +3612,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5135,58 +3641,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5198,8 +3665,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -5229,24 +3695,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -5258,23 +3717,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5286,39 +3735,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5330,34 +3768,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -5419,26 +3849,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -5446,46 +3870,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5497,58 +3905,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5560,8 +3929,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -5595,23 +3963,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5623,39 +3981,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5667,34 +4014,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -5731,33 +4070,26 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category type: string message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy @@ -5765,39 +4097,24 @@ spec: properties: additionalProperties: type: string - description: Properties provides additional information for the - policy rule + description: Properties provides additional information for the policy rule type: object resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -5809,58 +4126,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5872,8 +4150,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -5903,24 +4180,17 @@ spec: - medium type: string source: - description: Source is an identifier for the policy engine that - manages this report + description: Source is an identifier for the policy engine that manages this report type: string timestamp: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - 9999-12-31T23:59:59Z inclusive. + description: Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -5932,23 +4202,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -5960,39 +4220,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -6004,34 +4253,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index f36fe7f772..3a6aba16f9 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -451,6 +451,7 @@ type Deny struct { AnyAllConditions apiextensions.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"` } +// ForEach applies policy rule checks to nested elements. type ForEachValidation struct { // List specifies a JMESPath expression that results in one or more elements diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index 28e6cdfc08..2a50d1e62e 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -106,7 +106,7 @@ type RuleStats struct { //IsSuccessful checks if any rule has failed or not func (er EngineResponse) IsSuccessful() bool { for _, r := range er.PolicyResponse.Rules { - if r.Status != RuleStatusPass { + if r.Status == RuleStatusFail { return false } } @@ -117,12 +117,12 @@ func (er EngineResponse) IsSuccessful() bool { //IsFailed checks if any rule has succeeded or not func (er EngineResponse) IsFailed() bool { for _, r := range er.PolicyResponse.Rules { - if r.Status == RuleStatusPass { - return false + if r.Status == RuleStatusFail { + return true } } - return true + return false } //GetPatches returns all the patches joined From 086194ffab5fa47492219bb43850b9bc2f3f8a96 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 01:31:05 -0700 Subject: [PATCH 29/50] fix reporting Signed-off-by: Jim Bugwadia --- pkg/api/kyverno/v1/utils.go | 4 ++-- pkg/kyverno/apply/report.go | 2 +- pkg/kyverno/common/common.go | 28 ++++++++++++++++++++++------ pkg/kyverno/test/test_command.go | 20 +++++++++++++++++--- pkg/policyreport/builder.go | 26 +++++++++++++++++++++----- 5 files changed, 63 insertions(+), 17 deletions(-) diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go index 98b4f60d04..465d345920 100755 --- a/pkg/api/kyverno/v1/utils.go +++ b/pkg/api/kyverno/v1/utils.go @@ -199,6 +199,6 @@ type ViolatedRule struct { // +optional Message string `json:"message" yaml:"message"` - // +optional - Check string `json:"check" yaml:"check"` + // Status shows the rule response status + Status string `json:"status" yaml:"status"` } diff --git a/pkg/kyverno/apply/report.go b/pkg/kyverno/apply/report.go index 686b3621b8..1dd976f9f3 100644 --- a/pkg/kyverno/apply/report.go +++ b/pkg/kyverno/apply/report.go @@ -108,7 +108,7 @@ func buildPolicyResults(infos []policyreport.Info) map[string][]*report.PolicyRe result.Rule = rule.Name result.Message = rule.Message - result.Result = report.PolicyResult(rule.Check) + result.Result = report.PolicyResult(rule.Status) result.Source = policyreport.SourceValue result.Timestamp = now results[appname] = append(results[appname], &result) diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index c96a47ec25..ec6f852777 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -768,20 +768,36 @@ func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *r Message: valResponseRule.Message, } - if valResponseRule.Status == response.RuleStatusPass { + switch valResponseRule.Status { + case response.RuleStatusPass: rc.Pass++ - vrule.Check = report.StatusPass - } else { + vrule.Status = report.StatusPass + + case response.RuleStatusFail: + rc.Fail++ + vrule.Status = report.StatusFail if !policyReport { if printCount < 1 { fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.Name, resPath) printCount++ } + fmt.Printf("%d. %s: %s \n", i+1, valResponseRule.Name, valResponseRule.Message) } - rc.Fail++ - vrule.Check = report.StatusFail + + case response.RuleStatusError: + rc.Error++ + vrule.Status = report.StatusError + + case response.RuleStatusWarn: + rc.Warn++ + vrule.Status = report.StatusWarn + + case response.RuleStatusSkip: + rc.Skip++ + vrule.Status = report.StatusSkip } + violatedRules = append(violatedRules, vrule) continue } @@ -793,7 +809,7 @@ func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *r Name: policyRule.Name, Type: "Validation", Message: policyRule.Validation.Message, - Check: report.StatusSkip, + Status: report.StatusSkip, } violatedRules = append(violatedRules, vruleSkip) } diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 3518745e76..5b4dade930 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -255,6 +255,7 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu Name: resourceName, }, }, + Message: buildMessage(resp), } for i, test := range testResults { @@ -297,7 +298,7 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu } result.Rule = rule.Name - result.Result = report.PolicyResult(rule.Check) + result.Result = report.PolicyResult(rule.Status) result.Source = policyreport.SourceValue result.Timestamp = now results[resultsKey] = result @@ -308,6 +309,16 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu return results, testResults } +func buildMessage(resp *response.EngineResponse) string { + var bldr strings.Builder + for _, ruleResp := range resp.PolicyResponse.Rules { + fmt.Fprintf(&bldr, " %s: %s \n", ruleResp.Name, ruleResp.Status.String()) + fmt.Fprintf(&bldr, " %s \n", ruleResp.Message) + } + + return bldr.String() +} + func getPolicyResourceFullPath(path []string, policyResourcePath string, isGit bool) []string { var pol []string if !isGit { @@ -464,17 +475,20 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T v.Result = v.Status } if testRes.Result == v.Result { + res.Result = boldGreen.Sprintf("Pass") if testRes.Result == report.StatusSkip { - res.Result = boldGreen.Sprintf("Pass") rc.Skip++ } else { - res.Result = boldGreen.Sprintf("Pass") rc.Pass++ } } else { + fmt.Printf("test failed for policy=%s, rule=%s, resource=%s, expected=%s, recieved=%s \n", + v.Policy, v.Rule, v.Resource, v.Result, testRes.Result) + fmt.Printf("%s \n", testRes.Message) res.Result = boldRed.Sprintf("Fail") rc.Fail++ } + table = append(table, res) } printer.BorderTop, printer.BorderBottom, printer.BorderLeft, printer.BorderRight = true, true, true, true diff --git a/pkg/policyreport/builder.go b/pkg/policyreport/builder.go index ebbaaa8bd7..d32ae66876 100755 --- a/pkg/policyreport/builder.go +++ b/pkg/policyreport/builder.go @@ -160,7 +160,7 @@ func (builder *requestBuilder) buildRCRResult(policy string, resource response.R result.Rule = rule.Name result.Message = rule.Message - result.Result = report.PolicyResult(rule.Check) + result.Result = report.PolicyResult(rule.Status) if result.Result == "fail" && !av.scored { result.Result = "warn" } @@ -263,15 +263,31 @@ func buildViolatedRules(er *response.EngineResponse) []kyverno.ViolatedRule { Type: rule.Type, Message: rule.Message, } - vrule.Check = report.StatusFail - if rule.Status == response.RuleStatusPass { - vrule.Check = report.StatusPass - } + + vrule.Status = toPolicyResult(rule.Status) violatedRules = append(violatedRules, vrule) } + return violatedRules } +func toPolicyResult(status response.RuleStatus) string { + switch status { + case response.RuleStatusPass: + return report.StatusPass + case response.RuleStatusFail: + return report.StatusFail + case response.RuleStatusError: + return report.StatusError + case response.RuleStatusWarn: + return report.StatusWarn + case response.RuleStatusSkip: + return report.StatusSkip + } + + return "" +} + const categoryLabel string = "policies.kyverno.io/category" const severityLabel string = "policies.kyverno.io/severity" const scoredLabel string = "policies.kyverno.io/scored" From 731ffde0e7ad485e0197c50f08da820ac98e1c79 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 03:15:22 -0700 Subject: [PATCH 30/50] fix messages and tests Signed-off-by: Jim Bugwadia --- pkg/engine/anchor/anchor.go | 4 +-- .../mutate/strategicPreprocessing_test.go | 2 +- pkg/engine/response/response.go | 2 +- pkg/engine/validate/validate.go | 6 ++--- pkg/engine/validate/validate_test.go | 14 +++++----- pkg/engine/validation.go | 8 +++++- pkg/engine/variables/vars.go | 4 +++ pkg/generate/validate.go | 6 ++--- pkg/policy/common/validate_pattern.go | 2 +- pkg/policy/validate/validate_test.go | 26 +++++++++---------- test/e2e/mutate/mutate_test.go | 2 +- 11 files changed, 43 insertions(+), 33 deletions(-) diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go index c57a2be5fc..b1127ad4e0 100644 --- a/pkg/engine/anchor/anchor.go +++ b/pkg/engine/anchor/anchor.go @@ -58,7 +58,7 @@ func (nh NegationHandler) Handle(handler resourceElementHandler, resourceMap map // if anchor is present in the resource then fail if _, ok := resourceMap[anchorKey]; ok { // no need to process elements in value as key cannot be present in resource - return currentPath, fmt.Errorf("Validation rule failed at %s, field %s is disallowed", currentPath, anchorKey) + return currentPath, fmt.Errorf("%s/%s is not allowed", currentPath, anchorKey) } // key is not defined in the resource return "", nil @@ -118,7 +118,7 @@ func (dh DefaultHandler) Handle(handler resourceElementHandler, resourceMap map[ if dh.pattern == "*" && resourceMap[dh.element] != nil { return "", nil } else if dh.pattern == "*" && resourceMap[dh.element] == nil { - return dh.path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element) + return dh.path, fmt.Errorf("%s/%s not found", dh.path, dh.element) } else { path, err := handler(log.Log, resourceMap[dh.element], dh.pattern, originPattern, currentPath, ac) if err != nil { diff --git a/pkg/engine/mutate/strategicPreprocessing_test.go b/pkg/engine/mutate/strategicPreprocessing_test.go index 28905473cf..fc2a1af8ef 100644 --- a/pkg/engine/mutate/strategicPreprocessing_test.go +++ b/pkg/engine/mutate/strategicPreprocessing_test.go @@ -924,7 +924,7 @@ func Test_CheckConditionAnchor_DoesNotMatch(t *testing.T) { resource := yaml.MustParse(string(resourceRaw)) err := checkCondition(log.Log, pattern, resource) - assert.Error(t, err, "Validation rule failed at '/key1/' to validate value 'sample' with pattern 'value*'") + assert.Error(t, err, "resource value 'sample' does not match 'value*' at path /key1/") } func Test_ValidateConditions_MapWithOneCondition_Matches(t *testing.T) { diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index 2a50d1e62e..1ef04f8a79 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -106,7 +106,7 @@ type RuleStats struct { //IsSuccessful checks if any rule has failed or not func (er EngineResponse) IsSuccessful() bool { for _, r := range er.PolicyResponse.Rules { - if r.Status == RuleStatusFail { + if r.Status == RuleStatusFail || r.Status == RuleStatusError { return false } } diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index 3ab332a5ee..e11d239539 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -82,19 +82,19 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o case []interface{}: for _, res := range resource { if !ValidateValueWithPattern(log, res, patternElement) { - return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement) + return path, fmt.Errorf("resource value '%v' does not match '%v' at path %s", resourceElement, patternElement, path) } } return "", nil default: if !ValidateValueWithPattern(log, resourceElement, patternElement) { - return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement) + return path, fmt.Errorf("resource value '%v' does not match '%v' at path %s", resourceElement, patternElement, path) } } default: log.V(4).Info("Pattern contains unknown type", "path", path, "current", fmt.Sprintf("%T", patternElement)) - return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path) + return path, fmt.Errorf("failed at '%s', pattern contains unknown type", path) } return "", nil } diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index 65787e8bef..0f46a73833 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -1507,7 +1507,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { name: "test-23", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "imagePullPolicy": "Always"}]}}`), - nilErr: true, + nilErr: false, }, { name: "test-24", @@ -1519,7 +1519,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { name: "test-25", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo1", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), - nilErr: true, + nilErr: false, }, { name: "test-26", @@ -1531,7 +1531,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { name: "test-27", pattern: []byte(`{"spec": {"containers": [{"name": "*", "env": [{"<(name)": "foo", "<(value)": "bar" }],"imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx", "env": [{"name": "foo1", "value": "bar" }],"imagePullPolicy": "Always"}]}}`), - nilErr: true, + nilErr: false, }, { name: "test-28", @@ -1549,7 +1549,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { name: "test-30", pattern: []byte(`{"metadata": {"<(name)": "nginx"},"spec": {"imagePullSecrets": [{"name": "regcred"}]}}`), resource: []byte(`{"metadata": {"name": "somename"},"spec": {"containers": [{"name": "nginx","image": "nginx:latest"}], "imagePullSecrets": [{"name": "cred"}]}}`), - nilErr: true, + nilErr: false, }, { name: "test-31", @@ -1579,7 +1579,7 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) { name: "test-35", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "nginx"}],"imagePullSecrets": [{"name": "my-registry-secret"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "somepod"}], "imagePullSecrets": [{"name": "cred"}]}}`), - nilErr: true, + nilErr: false, }, { name: "test-36", @@ -1605,7 +1605,7 @@ func Test_global_anchor(t *testing.T) { name: "check global anchor_skip", pattern: []byte(`{"spec": {"containers": [{"name": "*","<(image)": "*:latest","imagePullPolicy": "!Always"}]}}`), resource: []byte(`{"spec": {"containers": [{"name": "nginx","image": "nginx:v1", "imagePullPolicy": "Always"}]}}`), - nilErr: true, + nilErr: false, }, { name: "check global anchor_apply", @@ -1631,7 +1631,7 @@ func testMatchPattern(t *testing.T, testCase struct { err = json.Unmarshal(testCase.resource, &resource) assert.NilError(t, err) - err, _ = MatchPattern(log.Log, resource, pattern) + err = MatchPattern(log.Log, resource, pattern) if testCase.nilErr { assert.NilError(t, err, fmt.Sprintf("\ntest: %s\npattern: %s\nresource: %s\n", testCase.name, pattern, resource)) } else { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 0304f45f71..844acb72a6 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -458,14 +458,20 @@ func isSameRuleResponse(r1 *response.RuleResponse, r2 *response.RuleResponse) bo func (v *validator) validatePatterns(resource unstructured.Unstructured) *response.RuleResponse { if v.pattern != nil { if err := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil { - if pe, ok := err.(*validate.PatternError); ok { v.log.V(3).Info("validation error", "path", pe.Path, "error", err.Error()) + + if pe.Skip { + return ruleResponse(v.rule, pe.Error(), response.RuleStatusSkip) + } + if pe.Path == "" { return ruleResponse(v.rule, v.buildErrorMessage(err, ""), response.RuleStatusError) } return ruleResponse(v.rule, v.buildErrorMessage(err, pe.Path), response.RuleStatusFail) + } else { + return ruleResponse(v.rule, v.buildErrorMessage(err, pe.Path), response.RuleStatusError) } } diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index ab019ff951..65d4b07ea9 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -320,6 +320,10 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface, vr Var } func isDeleteRequest(ctx context.EvalInterface) bool { + if ctx == nil { + return false + } + operation, err := ctx.Query("request.operation") if err == nil && operation == "DELETE" { return true diff --git a/pkg/generate/validate.go b/pkg/generate/validate.go index 0bc4345f22..6047e814c3 100644 --- a/pkg/generate/validate.go +++ b/pkg/generate/validate.go @@ -55,12 +55,12 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o // elementary values case string, float64, int, int64, bool, nil: if !validate.ValidateValueWithPattern(log, resourceElement, patternElement) { - return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement) + return path, fmt.Errorf("value '%v' does not match '%v' at path %s", resourceElement, patternElement, path) } default: log.V(4).Info("Pattern contains unknown type", "path", path, "current", fmt.Sprintf("%T", patternElement)) - return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path) + return path, fmt.Errorf("failed at path '%s', pattern contains unknown type", path) } return "", nil } @@ -145,7 +145,7 @@ func (dh Handler) Handle(handler resourceElementHandler, resourceMap map[string] if dh.pattern == "*" && resourceMap[dh.element] != nil { return "", nil } else if dh.pattern == "*" && resourceMap[dh.element] == nil { - return dh.path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element) + return dh.path, fmt.Errorf("failed at path %s, field %s is not present", dh.path, dh.element) } else { path, err := handler(log.Log, resourceMap[dh.element], dh.pattern, originPattern, currentPath) if err != nil { diff --git a/pkg/policy/common/validate_pattern.go b/pkg/policy/common/validate_pattern.go index d14f77e67a..737d7d65d0 100644 --- a/pkg/policy/common/validate_pattern.go +++ b/pkg/policy/common/validate_pattern.go @@ -19,7 +19,7 @@ func ValidatePattern(patternElement interface{}, path string, supportedAnchors [ //TODO? check operator return "", nil default: - return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path) + return path, fmt.Errorf("error at '%s', pattern contains unknown type", path) } } func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []commonAnchors.IsAnchor) (string, error) { diff --git a/pkg/policy/validate/validate_test.go b/pkg/policy/validate/validate_test.go index 17ce74590e..99b7b3349b 100644 --- a/pkg/policy/validate/validate_test.go +++ b/pkg/policy/validate/validate_test.go @@ -16,7 +16,7 @@ func Test_Validate_OverlayPattern_Empty(t *testing.T) { err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -30,7 +30,7 @@ func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -68,7 +68,7 @@ func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -106,7 +106,7 @@ func Test_Validate_OverlayPattern_Valid(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.NilError(t, err) } @@ -139,7 +139,7 @@ func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -169,7 +169,7 @@ func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) { var validation kyverno.Validation err := json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -202,7 +202,7 @@ func Test_Validate_ExistingAnchor_Valid(t *testing.T) { err = json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker := NewValidateFactory(validation) + checker := NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -227,7 +227,7 @@ func Test_Validate_ExistingAnchor_Valid(t *testing.T) { } `) err = json.Unmarshal(rawValidation, &validation) assert.NilError(t, err) - checker = NewValidateFactory(validation) + checker = NewValidateFactory(&validation) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -268,7 +268,7 @@ func Test_Validate_Validate_ValidAnchor(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker := NewValidateFactory(validate) + checker := NewValidateFactory(&validate) if _, err := checker.Validate(); err != nil { assert.NilError(t, err) } @@ -290,7 +290,7 @@ func Test_Validate_Validate_ValidAnchor(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker = NewValidateFactory(validate) + checker = NewValidateFactory(&validate) if _, err := checker.Validate(); err != nil { assert.NilError(t, err) } @@ -317,7 +317,7 @@ func Test_Validate_Validate_Mismatched(t *testing.T) { var validate kyverno.Validation err := json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker := NewValidateFactory(validate) + checker := NewValidateFactory(&validate) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -347,7 +347,7 @@ func Test_Validate_Validate_Unsupported(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker := NewValidateFactory(validate) + checker := NewValidateFactory(&validate) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } @@ -373,7 +373,7 @@ func Test_Validate_Validate_Unsupported(t *testing.T) { err = json.Unmarshal(rawValidate, &validate) assert.NilError(t, err) - checker = NewValidateFactory(validate) + checker = NewValidateFactory(&validate) if _, err := checker.Validate(); err != nil { assert.Assert(t, err != nil) } diff --git a/test/e2e/mutate/mutate_test.go b/test/e2e/mutate/mutate_test.go index 621445a2cd..ff79bfdd1e 100644 --- a/test/e2e/mutate/mutate_test.go +++ b/test/e2e/mutate/mutate_test.go @@ -216,7 +216,7 @@ func Test_Mutate(t *testing.T) { Expect(err).NotTo(HaveOccurred()) By("Validating created resource with the expected pattern...") - err, _ = validate.MatchPattern(log.Log, actual, expected) + err = validate.MatchPattern(log.Log, actual, expected) Expect(err).NotTo(HaveOccurred()) By("Deleting Cluster Policies...") From 77ae92e7845352f4a65b4025018c6ba8ab6a9554 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 03:28:58 -0700 Subject: [PATCH 31/50] improve messages Signed-off-by: Jim Bugwadia --- pkg/engine/anchor/anchor.go | 4 ++-- pkg/engine/common/anchorKey.go | 4 ++-- pkg/kyverno/test/test_command.go | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go index b1127ad4e0..bf98147333 100644 --- a/pkg/engine/anchor/anchor.go +++ b/pkg/engine/anchor/anchor.go @@ -153,7 +153,7 @@ func (ch ConditionAnchorHandler) Handle(handler resourceElementHandler, resource // validate the values of the pattern returnPath, err := handler(log.Log, value, ch.pattern, originPattern, currentPath, ac) if err != nil { - ac.AnchorError = common.NewConditionalAnchorError(fmt.Sprintf("condition anchor did not satisfy: %s", err.Error())) + ac.AnchorError = common.NewConditionalAnchorError(err.Error()) return returnPath, ac.AnchorError.Error() } return "", nil @@ -187,7 +187,7 @@ func (gh GlobalAnchorHandler) Handle(handler resourceElementHandler, resourceMap // validate the values of the pattern returnPath, err := handler(log.Log, value, gh.pattern, originPattern, currentPath, ac) if err != nil { - ac.AnchorError = common.NewGlobalAnchorError(fmt.Sprintf("global anchor did not satisfy: %s", err.Error())) + ac.AnchorError = common.NewGlobalAnchorError(err.Error()) return returnPath, ac.AnchorError.Error() } return "", nil diff --git a/pkg/engine/common/anchorKey.go b/pkg/engine/common/anchorKey.go index 6e1e92e13d..4d52bf0c0d 100644 --- a/pkg/engine/common/anchorKey.go +++ b/pkg/engine/common/anchorKey.go @@ -74,10 +74,10 @@ type ValidateAnchorError struct { } // ConditionalAnchorErrMsg - the error message for conditional anchor error -var ConditionalAnchorErrMsg = "conditionalAnchorError" +var ConditionalAnchorErrMsg = "conditional anchor mismatch" // GlobalAnchorErrMsg - the error message for global anchor error -var GlobalAnchorErrMsg = "globalAnchorError" +var GlobalAnchorErrMsg = "global anchor mismatch" // AnchorKey - contains map of anchors type AnchorKey struct { diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 5b4dade930..352eaa5b46 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -482,7 +482,7 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T rc.Pass++ } } else { - fmt.Printf("test failed for policy=%s, rule=%s, resource=%s, expected=%s, recieved=%s \n", + fmt.Printf("test failed for policy=%s, rule=%s, resource=%s, expected=%s, received=%s \n", v.Policy, v.Rule, v.Resource, v.Result, testRes.Result) fmt.Printf("%s \n", testRes.Message) res.Result = boldRed.Sprintf("Fail") From c9ec282764af65b2cd797e10c3beb3bfebd82eb2 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 04:00:06 -0700 Subject: [PATCH 32/50] format Signed-off-by: Jim Bugwadia --- pkg/kyverno/common/common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index ec6f852777..f268556382 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -809,7 +809,7 @@ func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *r Name: policyRule.Name, Type: "Validation", Message: policyRule.Validation.Message, - Status: report.StatusSkip, + Status: report.StatusSkip, } violatedRules = append(violatedRules, vruleSkip) } From 529a3509d5d79a2a997344384d8a7c2468afe602 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 22:36:06 -0700 Subject: [PATCH 33/50] fix deployment-missing-labels test Signed-off-by: Jim Bugwadia --- pkg/kyverno/test/test_command.go | 11 ++++++++--- test/cli/test/autogen/test.yaml | 2 +- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 352eaa5b46..91dd4dabe8 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -50,11 +50,13 @@ func Command() *cobra.Command { } } }() + _, err = testCommandExecute(dirPath, valuesFile, fileName) if err != nil { log.Log.V(3).Info("a directory is required") return err } + return nil }, } @@ -192,14 +194,16 @@ func testCommandExecute(dirPath []string, valuesFile string, fileName string) (r } if len(errors) > 0 && log.Log.V(1).Enabled() { - fmt.Printf("ignoring errors: \n") + fmt.Printf("test errors: \n") for _, e := range errors { fmt.Printf(" %v \n", e.Error()) } } + if rc.Fail > 0 { os.Exit(1) } + os.Exit(0) return rc, nil } @@ -430,12 +434,13 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s pvInfos = append(pvInfos, info) } } - resultsMap, testResults := buildPolicyResults(validateEngineResponses, values.Results, pvInfos) + resultsMap, testResults := buildPolicyResults(validateEngineResponses, values.Results, pvInfos) resultErr := printTestResult(resultsMap, testResults, rc) if resultErr != nil { - return sanitizederror.NewWithError("Unable to genrate result. Error:", resultErr) + return sanitizederror.NewWithError("failed to print test result:", resultErr) } + return } diff --git a/test/cli/test/autogen/test.yaml b/test/cli/test/autogen/test.yaml index d6bef7195f..b1dd406ce0 100644 --- a/test/cli/test/autogen/test.yaml +++ b/test/cli/test/autogen/test.yaml @@ -24,7 +24,7 @@ results: # TEST: Deployment with Labels Should Fail - policy: require-common-labels rule: check-for-labels - result: fail + result: skip resource: deployment-missing-labels # TEST: StatefulSet with Labels Should Pass From ee6aafa7bbe625af612dcc45d216faa2e988c16e Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 23:07:40 -0700 Subject: [PATCH 34/50] fix linter issues Signed-off-by: Jim Bugwadia --- pkg/engine/utils.go | 6 +++--- pkg/engine/validation.go | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 0e792ace04..063f299999 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -256,15 +256,15 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User } //MatchesResourceDescription checks if the resource matches resource description of the rule or not -func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { +func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef *kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { - rule := *ruleRef.DeepCopy() + rule := ruleRef.DeepCopy() resource := *resourceRef.DeepCopy() admissionInfo := *admissionInfoRef.DeepCopy() var reasonsForFailure []error if len(rule.MatchResources.Any) > 0 { - // inlcude object if ANY of the criterias match + // include object if ANY of the criteria match // so if one matches then break from loop oneMatched := false for _, rmr := range rule.MatchResources.Any { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 844acb72a6..de16f651cb 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -92,7 +92,8 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo ctx.JSONContext.Checkpoint() defer ctx.JSONContext.Restore() - for _, rule := range ctx.Policy.Spec.Rules { + for i := range ctx.Policy.Spec.Rules { + rule := &ctx.Policy.Spec.Rules[i] if !rule.HasValidate() { continue } @@ -106,7 +107,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo ctx.JSONContext.Reset() startTime := time.Now() - ruleResp := processValidationRule(log, ctx, &rule) + ruleResp := processValidationRule(log, ctx, rule) if ruleResp != nil { addRuleResponse(log, resp, ruleResp, startTime) } @@ -417,7 +418,7 @@ func isEmptyUnstructured(u *unstructured.Unstructured) bool { } // matches checks if either the new or old resource satisfies the filter conditions defined in the rule -func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool { +func matches(logger logr.Logger, rule *kyverno.Rule, ctx *PolicyContext) bool { err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) if err == nil { return true From 6cf9fdd5027351e76fb754f8402d15b54a61bc0b Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 23:23:45 -0700 Subject: [PATCH 35/50] fix compile errors Signed-off-by: Jim Bugwadia --- pkg/engine/imageVerify.go | 6 +++--- pkg/engine/utils.go | 2 +- pkg/engine/validation.go | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index ab5c857faa..fc362f68ae 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -43,7 +43,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe defer policyContext.JSONContext.Restore() for i := range policyContext.Policy.Spec.Rules { - rule := policyContext.Policy.Spec.Rules[i] + rule := &policyContext.Policy.Spec.Rules[i] if len(rule.VerifyImages) == 0 { continue } @@ -54,8 +54,8 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe policyContext.JSONContext.Restore() for _, imageVerify := range rule.VerifyImages { - verifyAndPatchImages(logger, policyContext, &rule, imageVerify, images.Containers, resp) - verifyAndPatchImages(logger, policyContext, &rule, imageVerify, images.InitContainers, resp) + verifyAndPatchImages(logger, policyContext, rule, imageVerify, images.Containers, resp) + verifyAndPatchImages(logger, policyContext, rule, imageVerify, images.InitContainers, resp) } } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 063f299999..e24a205fd5 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -256,7 +256,7 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User } //MatchesResourceDescription checks if the resource matches resource description of the rule or not -func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef *kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { +func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { rule := ruleRef.DeepCopy() resource := *resourceRef.DeepCopy() diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index de16f651cb..3117a08544 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -419,13 +419,13 @@ func isEmptyUnstructured(u *unstructured.Unstructured) bool { // matches checks if either the new or old resource satisfies the filter conditions defined in the rule func matches(logger logr.Logger, rule *kyverno.Rule, ctx *PolicyContext) bool { - err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) + err := MatchesResourceDescription(ctx.NewResource, *rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) if err == nil { return true } if !reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) { - err := MatchesResourceDescription(ctx.OldResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) + err := MatchesResourceDescription(ctx.OldResource, *rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) if err == nil { return true } From 94335d58c978c4f00be7a6dfc7053598eac43e40 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 3 Oct 2021 23:39:55 -0700 Subject: [PATCH 36/50] fix golangci-lint issues Signed-off-by: Jim Bugwadia --- pkg/policy/validate.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index b3160b19f2..ec69afba19 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -148,7 +148,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, // - Mutate // - Validate // - Generate - if err := validateActions(i, &rule, client, mock); err != nil { + if err := validateActions(i, &p.Spec.Rules[i], client, mock); err != nil { return err } From b7c8368569b7cef0d6d790d60d8f81ad2ed5be4e Mon Sep 17 00:00:00 2001 From: Kumar Mallikarjuna Date: Tue, 5 Oct 2021 00:27:39 +0530 Subject: [PATCH 37/50] Adding deprecation warning for any and all (Rebased) (#2466) * added deprecation warning for any and all Signed-off-by: RinkiyaKeDad * Updated schemas Signed-off-by: Kumar Mallikarjuna Co-authored-by: RinkiyaKeDad --- charts/kyverno/templates/crds.yaml | 25 +++++++++-------- .../crds/kyverno.io_clusterpolicies.yaml | 8 ++++-- .../crds/kyverno.io_generaterequests.yaml | 19 +++++++------ definitions/crds/kyverno.io_policies.yaml | 8 ++++-- definitions/install.yaml | 27 ++++++++++++++----- definitions/install_debug.yaml | 27 ++++++++++++++----- pkg/api/kyverno/v1/policy_types.go | 8 ++++++ 7 files changed, 81 insertions(+), 41 deletions(-) diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index b9dde26939..bb94092d21 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -4,6 +4,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '1' + internal.config.kubernetes.io/index: '1' creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -575,8 +576,7 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: @@ -1248,9 +1248,7 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: @@ -1748,6 +1746,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '2' + internal.config.kubernetes.io/index: '2' creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -2430,6 +2429,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '3' + internal.config.kubernetes.io/index: '3' creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -3112,6 +3112,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '4' + internal.config.kubernetes.io/index: '4' creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -3175,13 +3176,11 @@ spec: description: Context ... properties: admissionRequestInfo: - description: Adding required request information to GR properties: admissionRequest: - description: Adding Admission Request to GR. type: string operation: - description: Current request operation + description: Operation is the type of resource operation being checked for admission control type: string type: object userInfo: @@ -3310,6 +3309,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '5' + internal.config.kubernetes.io/index: '5' creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -3882,8 +3882,7 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. Specifying ResourceDescription directly under exclude is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: @@ -4555,9 +4554,7 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: @@ -5056,6 +5053,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '6' + internal.config.kubernetes.io/index: '6' creationTimestamp: null labels: app.kubernetes.io/component: kyverno @@ -5736,6 +5734,7 @@ metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 config.kubernetes.io/index: '7' + internal.config.kubernetes.io/index: '7' creationTimestamp: null labels: app.kubernetes.io/component: kyverno diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml index 27fb8fe9b8..f9d775ad59 100644 --- a/definitions/crds/kyverno.io_clusterpolicies.yaml +++ b/definitions/crds/kyverno.io_clusterpolicies.yaml @@ -570,7 +570,9 @@ spec: type: array resources: description: ResourceDescription contains information about - the resource being created or modified. + the resource being created or modified. Specifying ResourceDescription + directly under exclude is being deprecated. Please specify + under "any" or "all" instead. properties: annotations: additionalProperties: @@ -1244,7 +1246,9 @@ spec: resources: description: ResourceDescription contains information about the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: diff --git a/definitions/crds/kyverno.io_generaterequests.yaml b/definitions/crds/kyverno.io_generaterequests.yaml index 6ae8b54882..997e3f662f 100644 --- a/definitions/crds/kyverno.io_generaterequests.yaml +++ b/definitions/crds/kyverno.io_generaterequests.yaml @@ -60,6 +60,15 @@ spec: context: description: Context ... properties: + admissionRequestInfo: + properties: + admissionRequest: + type: string + operation: + description: Operation is the type of resource operation being + checked for admission control + type: string + type: object userInfo: description: RequestInfo contains permission info carried in an admission request. @@ -108,16 +117,6 @@ spec: type: string type: object type: object - admissionRequestInfo: - description: Adding required request information to GR - properties: - admissionRequest: - description: Adding Admission Request to GR. - type: string - operation: - description: Current request operation - type: string - type: object type: object policy: description: Specifies the name of the policy. diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml index 5dac0ab41b..c624d893c2 100644 --- a/definitions/crds/kyverno.io_policies.yaml +++ b/definitions/crds/kyverno.io_policies.yaml @@ -571,7 +571,9 @@ spec: type: array resources: description: ResourceDescription contains information about - the resource being created or modified. + the resource being created or modified. Specifying ResourceDescription + directly under exclude is being deprecated. Please specify + under "any" or "all" instead. properties: annotations: additionalProperties: @@ -1245,7 +1247,9 @@ spec: resources: description: ResourceDescription contains information about the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: diff --git a/definitions/install.yaml b/definitions/install.yaml index a00da10b61..ce4da86064 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -374,7 +374,10 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. Specifying ResourceDescription + directly under exclude is being deprecated. Please specify + under "any" or "all" instead. properties: annotations: additionalProperties: @@ -781,7 +784,11 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: @@ -2154,13 +2161,12 @@ spec: description: Context ... properties: admissionRequestInfo: - description: Adding required request information to GR properties: admissionRequest: - description: Adding Admission Request to GR. type: string operation: - description: Current request operation + description: Operation is the type of resource operation being + checked for admission control type: string type: object userInfo: @@ -2635,7 +2641,10 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. Specifying ResourceDescription + directly under exclude is being deprecated. Please specify + under "any" or "all" instead. properties: annotations: additionalProperties: @@ -3042,7 +3051,11 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 4ebb00793e..9da4f8765f 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -361,7 +361,10 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. Specifying ResourceDescription + directly under exclude is being deprecated. Please specify + under "any" or "all" instead. properties: annotations: additionalProperties: @@ -768,7 +771,11 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: @@ -2120,13 +2127,12 @@ spec: description: Context ... properties: admissionRequestInfo: - description: Adding required request information to GR properties: admissionRequest: - description: Adding Admission Request to GR. type: string operation: - description: Current request operation + description: Operation is the type of resource operation being + checked for admission control type: string type: object userInfo: @@ -2594,7 +2600,10 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. + description: ResourceDescription contains information about + the resource being created or modified. Specifying ResourceDescription + directly under exclude is being deprecated. Please specify + under "any" or "all" instead. properties: annotations: additionalProperties: @@ -3001,7 +3010,11 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 3a6aba16f9..1a1236bf68 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -267,11 +267,15 @@ type MatchResources struct { All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"` // UserInfo contains information about the user performing the operation. + // Specifying UserInfo directly under match is being deprecated. + // Please specify under "any" or "all" instead. // +optional UserInfo `json:",omitempty" yaml:",omitempty"` // ResourceDescription contains information about the resource being created or modified. // Requires at least one tag to be specified when under MatchResources. + // Specifying ResourceDescription directly under match is being deprecated. + // Please specify under "any" or "all" instead. // +optional ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"` } @@ -288,10 +292,14 @@ type ExcludeResources struct { All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"` // UserInfo contains information about the user performing the operation. + // Specifying UserInfo directly under exclude is being deprecated. + // Please specify under "any" or "all" instead. // +optional UserInfo `json:",omitempty" yaml:",omitempty"` // ResourceDescription contains information about the resource being created or modified. + // Specifying ResourceDescription directly under exclude is being deprecated. + // Please specify under "any" or "all" instead. // +optional ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"` } From 9541d2be3eec3303f8c83b723bf784e8813c5c61 Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Tue, 5 Oct 2021 00:30:57 +0530 Subject: [PATCH 38/50] Validate GVK while installing policy & Fix any/all matching logic (#2458) * Handle case-sensitive GVK & Fix any/all matching logic * Fix any/all matching logic in the background controller * fix cli issue * fix any all issue * add exclude block * add validation for exclude block * fix exclude issue --- pkg/policy/existing.go | 8 ------ pkg/policy/validate.go | 60 ++++++++++++++++++++++++++++++++++++------ 2 files changed, 52 insertions(+), 16 deletions(-) diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index 5ebf20aa69..ce92079072 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -30,7 +30,6 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli } match := rule.MatchResources - exclude := rule.ExcludeResources for _, value := range match.Any { pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger) @@ -38,13 +37,6 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli for _, value := range match.All { pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger) } - for _, value := range exclude.All { - pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger) - } - for _, value := range exclude.Any { - pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger) - } - pc.processExistingKinds(match.Kinds, policy, rule, logger) } } diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index ec69afba19..7fbbdd5b29 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -10,13 +10,12 @@ import ( jsonpatch "github.com/evanphx/json-patch/v5" "github.com/jmespath/go-jmespath" - c "github.com/kyverno/kyverno/pkg/common" + kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" + comn "github.com/kyverno/kyverno/pkg/common" + dclient "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/variables" "github.com/kyverno/kyverno/pkg/kyverno/common" - - kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" - dclient "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/openapi" "github.com/kyverno/kyverno/pkg/utils" "github.com/minio/pkg/wildcard" @@ -177,12 +176,41 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, } // Validate Kind with match resource kinds - for _, kind := range rule.MatchResources.Kinds { - _, k := c.GetKindFromGVK(kind) - if k == p.Kind { - return fmt.Errorf("kind and match resource kind should not be the same.") + match := rule.MatchResources + exclude := rule.ExcludeResources + for _, value := range match.Any { + err := validateKinds(value.ResourceDescription.Kinds, mock, client, p) + if err != nil { + return fmt.Errorf("the kind defined in the any match resource is invalid") } } + for _, value := range match.All { + err := validateKinds(value.ResourceDescription.Kinds, mock, client, p) + if err != nil { + return fmt.Errorf("the kind defined in the all match resource is invalid") + } + } + for _, value := range exclude.Any { + err := validateKinds(value.ResourceDescription.Kinds, mock, client, p) + + if err != nil { + return fmt.Errorf("the kind defined in the any exclude resource is invalid") + } + } + for _, value := range exclude.All { + err := validateKinds(value.ResourceDescription.Kinds, mock, client, p) + if err != nil { + return fmt.Errorf("the kind defined in the all exclude resource is invalid") + } + } + err := validateKinds(rule.MatchResources.Kinds, mock, client, p) + if err != nil { + return fmt.Errorf("match resource kind is invalid ") + } + err = validateKinds(rule.ExcludeResources.Kinds, mock, client, p) + if err != nil { + return fmt.Errorf("exclude resource kind is invalid ") + } // Validate string values in labels if !isLabelAndAnnotationsString(rule) { @@ -1027,3 +1055,19 @@ func jsonPatchOnPod(rule kyverno.Rule) bool { return false } + +func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.ClusterPolicy) error { + for _, kind := range kinds { + gv, k := comn.GetKindFromGVK(kind) + if !mock { + _, _, err := client.DiscoveryClient.FindResource(gv, k) + if err != nil || strings.ToLower(k) == k { + return fmt.Errorf("match resource kind %s is invalid ", k) + } + } + if k == p.Kind { + return fmt.Errorf("kind and match resource kind should not be the same") + } + } + return nil +} From aba2e58f09a28fbe71c56510b38e9ba61df7c5a0 Mon Sep 17 00:00:00 2001 From: Kumar Mallikarjuna Date: Tue, 5 Oct 2021 11:09:24 +0530 Subject: [PATCH 39/50] Added PodDisruptionBudget in kustomize & helm (Rebased) (#2463) * added pdb in helm & kustomize Signed-off-by: Christopher Haar * added pdb in helm & kustomize Signed-off-by: Christopher Haar * changed for comments Signed-off-by: Christopher Haar * Updating minAvailable Signed-off-by: Kumar Mallikarjuna * Removed redundant lines Signed-off-by: Kumar Mallikarjuna * Updated README Signed-off-by: Kumar Mallikarjuna * Updated README Signed-off-by: Kumar Mallikarjuna Co-authored-by: Christopher Haar Co-authored-by: Christopher Haar --- charts/kyverno/README.md | 3 +++ charts/kyverno/templates/_helpers.tpl | 13 +++++++++++++ .../templates/poddisruptionbudget.yaml | 14 ++++++++++++++ charts/kyverno/values.yaml | 8 ++++++++ definitions/install.yaml | 19 +++++++++++++++++++ definitions/install_debug.yaml | 14 ++++++++++++++ definitions/k8s-resource/kustomization.yaml | 1 + .../k8s-resource/poddisruptionbudget.yaml | 14 ++++++++++++++ 8 files changed, 86 insertions(+) create mode 100644 charts/kyverno/templates/poddisruptionbudget.yaml create mode 100644 definitions/k8s-resource/poddisruptionbudget.yaml diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 5c4cf5fccd..5943f0e900 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -92,6 +92,9 @@ The following table lists the configurable parameters of the kyverno chart and t | `podAnnotations` | annotations to add to each pod | `{}` | | `podLabels` | additional labels to add to each pod | `{}` | | `podSecurityContext` | security context for the pod | `{}` | +| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the kyverno deployment | `false` | +| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for kyverno disruptions. Cannot used if `maxUnavailable` is set. | `0` | +| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for kyverno disruptions. Cannot used if `minAvailable` is set. | `nil` | | `priorityClassName` | priorityClassName | `nil` | | `rbac.create` | create ClusterRoles, ClusterRoleBindings, and ServiceAccount | `true` | | `rbac.serviceAccount.create` | create a ServiceAccount | `true` | diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl index dc08df3e40..0ead33fb0a 100644 --- a/charts/kyverno/templates/_helpers.tpl +++ b/charts/kyverno/templates/_helpers.tpl @@ -91,3 +91,16 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{ default "default" .Values.rbac.serviceAccount.name }} {{- end -}} {{- end -}} + +{{/* Create the default PodDisruptionBudget to use */}} +{{- define "podDisruptionBudget.spec" -}} +{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }} +{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}} +{{- end }} +{{- if not .Values.podDisruptionBudget.maxUnavailable }} +minAvailable: {{ default 0 .Values.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} +maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- end }} diff --git a/charts/kyverno/templates/poddisruptionbudget.yaml b/charts/kyverno/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..4cd6c23515 --- /dev/null +++ b/charts/kyverno/templates/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "kyverno.fullname" . }} + labels: {{ include "kyverno.labels" . | nindent 4 }} + app: kyverno + namespace: {{ template "kyverno.namespace" . }} +spec: +{{- include "podDisruptionBudget.spec" . | indent 2 }} + selector: + matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }} + app: kyverno +{{- end }} \ No newline at end of file diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 94ccb3912c..809510d338 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -52,6 +52,14 @@ antiAffinity: # Changing this to a region would allow you to spread pods across regions topologyKey: "kubernetes.io/hostname" +podDisruptionBudget: + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + + # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) + # or a percentage value (e.g. 25%) + nodeSelector: {} tolerations: [] diff --git a/definitions/install.yaml b/definitions/install.yaml index ce4da86064..42c273bbf7 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -4986,3 +4986,22 @@ spec: securityContext: runAsNonRoot: true serviceAccountName: kyverno-service-account +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: kyverno + app.kubernetes.io/component: kyverno + app.kubernetes.io/instance: kyverno + app.kubernetes.io/managed-by: Kustomize + app.kubernetes.io/name: kyverno + app.kubernetes.io/part-of: kyverno + name: kyverno + namespace: kyverno +spec: + minAvailable: 0 + selector: + matchLabels: + app: kyverno + app.kubernetes.io/name: kyverno diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 9da4f8765f..4d06fa3e67 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -4679,3 +4679,17 @@ spec: selector: app: kyverno app.kubernetes.io/name: kyverno +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: kyverno + name: kyverno + namespace: kyverno +spec: + minAvailable: 0 + selector: + matchLabels: + app: kyverno + app.kubernetes.io/name: kyverno diff --git a/definitions/k8s-resource/kustomization.yaml b/definitions/k8s-resource/kustomization.yaml index b55b4b834f..2f0516dc26 100755 --- a/definitions/k8s-resource/kustomization.yaml +++ b/definitions/k8s-resource/kustomization.yaml @@ -8,3 +8,4 @@ resources: - ./metricsconfigmap.yaml - ./service.yaml - ./serviceaccount.yaml +- ./poddisruptionbudget.yaml diff --git a/definitions/k8s-resource/poddisruptionbudget.yaml b/definitions/k8s-resource/poddisruptionbudget.yaml new file mode 100644 index 0000000000..887a2adff6 --- /dev/null +++ b/definitions/k8s-resource/poddisruptionbudget.yaml @@ -0,0 +1,14 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: kyverno + labels: + app: kyverno + namespace: kyverno +spec: + minAvailable: 0 + selector: + matchLabels: + app: kyverno + # do not remove + app.kubernetes.io/name: kyverno \ No newline at end of file From ae6f6c327f3c86cc3196eb540713ff0d45f28343 Mon Sep 17 00:00:00 2001 From: vivek kumar sahu Date: Fri, 1 Oct 2021 14:16:33 +0530 Subject: [PATCH 40/50] Added Code to support the test command for mutate policy (#2279) * Added test-e2e-local in the Makefile * Added a proper Indentation * Added 3 more fields * Added getPolicyResourceFullPath function * Updating the patchedResource path to full path * Converts Namespaced policy to ClusterPolicy * Added GetPatchedResourceFromPath function * Added GetPatchedResource function * Checks for namespaced-policy from policy name provided bu user * Generalizing resultKey for both validate and mutate. Also added kind field to this key * Added Type field to PolicySpec * To handle mutate case when resource and patchedResource are equal * fetch patchResource from path provided by user and compare it with engine patchedResource * generating result by comparing patchedResource * Added kind to resultKey * Handles namespaced policy results * Skip is required * Added []*response.EngineResponse return type in ApplyPolicyOnResource function * namespaced policy only surpasses resources having same namespace as policy * apply command will print the patchedResource whereas test will not * passing engineResponse instead of validateEngineResponse because it supports results for both validate and mutate case * default namespace will printed in the output table if no namespace is being provided by the user * Added e2e test for mutate policy and also examples for both type of policies * Created a separate function to get resultKey * Changes in the resultKey for validate case * Added help description for test command in the cli * fixes code for more test cases * fixes code to support more cases and also added resources for e2e-test * some small changes like adding brackets, clubbing 2 if cond into one, changing variable name, etc. * Rearrange GetPatchedResourceFromPath function to get rid from repetion of same thing twice. * Added kind in the result section of test.yaml for all test-cases * engineResponse will handle different types of response * GetPatchedResource() uses GetResource function to fetch patched resource Signed-off-by: viveksahu26 --- Makefile | 1 + pkg/engine/generation.go | 4 +- pkg/engine/mutation.go | 2 +- pkg/engine/utils.go | 5 +- pkg/engine/utils_test.go | 14 +- pkg/engine/validation.go | 4 +- pkg/kyverno/apply/apply_command.go | 2 +- pkg/kyverno/common/common.go | 59 +++- pkg/kyverno/common/common_test.go | 2 +- pkg/kyverno/common/fetch.go | 8 + pkg/kyverno/test/test_command.go | 294 ++++++++++++++++-- pkg/utils/loadpolicy.go | 6 + test/cli/test-fail/missing-policy/test.yaml | 1 + test/cli/test-fail/missing-resource/test.yaml | 1 + test/cli/test-fail/missing-rule/test.yaml | 1 + test/cli/test-mutate/patchedResource1.yaml | 16 + test/cli/test-mutate/patchedResource10.yaml | 25 ++ test/cli/test-mutate/patchedResource11.yaml | 10 + test/cli/test-mutate/patchedResource2.yaml | 12 + test/cli/test-mutate/patchedResource3.yaml | 12 + test/cli/test-mutate/patchedResource4.yaml | 23 ++ test/cli/test-mutate/patchedResource5.yaml | 12 + test/cli/test-mutate/patchedResource6.yaml | 11 + test/cli/test-mutate/patchedResource7.yaml | 16 + test/cli/test-mutate/patchedResource8.yaml | 15 + test/cli/test-mutate/patchedResource9.yaml | 11 + test/cli/test-mutate/policy.yaml | 62 ++++ test/cli/test-mutate/resource.yaml | 100 ++++++ test/cli/test-mutate/test.yaml | 86 +++++ test/cli/test/autogen/test.yaml | 8 + test/cli/test/simple/test.yaml | 5 + test/cli/test/variables/test.yaml | 4 + 32 files changed, 780 insertions(+), 52 deletions(-) create mode 100644 test/cli/test-mutate/patchedResource1.yaml create mode 100644 test/cli/test-mutate/patchedResource10.yaml create mode 100644 test/cli/test-mutate/patchedResource11.yaml create mode 100644 test/cli/test-mutate/patchedResource2.yaml create mode 100644 test/cli/test-mutate/patchedResource3.yaml create mode 100644 test/cli/test-mutate/patchedResource4.yaml create mode 100644 test/cli/test-mutate/patchedResource5.yaml create mode 100644 test/cli/test-mutate/patchedResource6.yaml create mode 100644 test/cli/test-mutate/patchedResource7.yaml create mode 100644 test/cli/test-mutate/patchedResource8.yaml create mode 100644 test/cli/test-mutate/patchedResource9.yaml create mode 100644 test/cli/test-mutate/policy.yaml create mode 100644 test/cli/test-mutate/resource.yaml create mode 100644 test/cli/test-mutate/test.yaml diff --git a/Makefile b/Makefile index a986d19a32..512e6092df 100644 --- a/Makefile +++ b/Makefile @@ -198,6 +198,7 @@ test-e2e-local: #Test TestCmd Policy test-cmd: cli $(PWD)/$(CLI_PATH)/kyverno test https://github.com/kyverno/policies/main + $(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test-mutate $(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test $(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test-fail/missing-policy && exit 1 || exit 0 $(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test-fail/missing-rule && exit 1 || exit 0 diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 6750977404..dcd6257807 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -75,10 +75,10 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR logger := log.Log.WithName("Generate").WithValues("policy", policy.Name, "kind", newResource.GetKind(), "namespace", newResource.GetNamespace(), "name", newResource.GetName()) - if err = MatchesResourceDescription(newResource, rule, admissionInfo, excludeGroupRole, namespaceLabels); err != nil { + if err = MatchesResourceDescription(newResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, ""); err != nil { // if the oldResource matched, return "false" to delete GR for it - if err = MatchesResourceDescription(oldResource, rule, admissionInfo, excludeGroupRole, namespaceLabels); err == nil { + if err = MatchesResourceDescription(oldResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, ""); err == nil { return &response.RuleResponse{ Name: rule.Name, Type: "Generation", diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 75a5a74ef4..6cd0a221e4 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -65,7 +65,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { excludeResource = policyContext.ExcludeGroupRole } - if err = MatchesResourceDescription(patchedResource, rule, policyContext.AdmissionInfo, excludeResource, policyContext.NamespaceLabels); err != nil { + if err = MatchesResourceDescription(patchedResource, rule, policyContext.AdmissionInfo, excludeResource, policyContext.NamespaceLabels, policyContext.Policy.Namespace); err != nil { logger.V(4).Info("rule not matched", "reason", err.Error()) continue } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 8b7929be18..7e82a50264 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -256,13 +256,16 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User } //MatchesResourceDescription checks if the resource matches resource description of the rule or not -func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { +func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string, policyNamespace string) error { rule := *ruleRef.DeepCopy() resource := *resourceRef.DeepCopy() admissionInfo := *admissionInfoRef.DeepCopy() var reasonsForFailure []error + if policyNamespace != "" && policyNamespace != resourceRef.GetNamespace() { + return errors.New(" The policy and resource namespace are different. Therefore, policy skip this resource.") + } if len(rule.MatchResources.Any) > 0 { // inlcude object if ANY of the criterias match // so if one matches then break from loop diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 11340244cc..8de2ef5662 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -898,7 +898,7 @@ func TestMatchesResourceDescription(t *testing.T) { resource, _ := utils.ConvertToUnstructured(tc.Resource) for _, rule := range policy.Spec.Rules { - err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo, []string{}, nil) + err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo, []string{}, nil, "") if err != nil { if !tc.areErrorsExpected { t.Errorf("Testcase %d Unexpected error: %v", i+1, err) @@ -966,7 +966,7 @@ func TestResourceDescriptionMatch_MultipleKind(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil); err != nil { + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil, ""); err != nil { t.Errorf("Testcase has failed due to the following:%v", err) } @@ -1027,7 +1027,7 @@ func TestResourceDescriptionMatch_Name(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil); err != nil { + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil, ""); err != nil { t.Errorf("Testcase has failed due to the following:%v", err) } } @@ -1087,7 +1087,7 @@ func TestResourceDescriptionMatch_Name_Regex(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil); err != nil { + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil, ""); err != nil { t.Errorf("Testcase has failed due to the following:%v", err) } } @@ -1155,7 +1155,7 @@ func TestResourceDescriptionMatch_Label_Expression_NotMatch(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil); err != nil { + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil, ""); err != nil { t.Errorf("Testcase has failed due to the following:%v", err) } } @@ -1224,7 +1224,7 @@ func TestResourceDescriptionMatch_Label_Expression_Match(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil); err != nil { + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil, ""); err != nil { t.Errorf("Testcase has failed due to the following:%v", err) } } @@ -1304,7 +1304,7 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) { rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}, ExcludeResources: kyverno.ExcludeResources{ResourceDescription: resourceDescriptionExclude}} - if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil); err == nil { + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}, []string{}, nil, ""); err == nil { t.Errorf("Testcase has failed due to the following:\n Function has returned no error, even though it was supposed to fail") } } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 88d68633b3..fc4eb85ee4 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -198,13 +198,13 @@ func validateResourceWithRule(log logr.Logger, ctx *PolicyContext, rule kyverno. // matches checks if either the new or old resource satisfies the filter conditions defined in the rule func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool { - err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) + err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels, "") if err == nil { return true } if !reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) { - err := MatchesResourceDescription(ctx.OldResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) + err := MatchesResourceDescription(ctx.OldResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels, "") if err == nil { return true } diff --git a/pkg/kyverno/apply/apply_command.go b/pkg/kyverno/apply/apply_command.go index 4dfdfff698..c86f96f6fb 100644 --- a/pkg/kyverno/apply/apply_command.go +++ b/pkg/kyverno/apply/apply_command.go @@ -286,7 +286,7 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, return rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.Name, resource.GetName()), err) } - _, info, err := common.ApplyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, policyReport, namespaceSelectorMap, stdin, rc) + _, info, err := common.ApplyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, policyReport, namespaceSelectorMap, stdin, rc, true) if err != nil { return rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) } diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index 10eb1ae4d0..bf5efb0842 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -524,7 +524,7 @@ func MutatePolices(policies []*v1.ClusterPolicy) ([]*v1.ClusterPolicy, error) { // ApplyPolicyOnResource - function to apply policy on resource func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured, - mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts) (*response.EngineResponse, policyreport.Info, error) { + mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts, printPatchResource bool) (*response.EngineResponse, policyreport.Info, error) { operationIsDelete := false @@ -533,7 +533,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst } namespaceLabels := make(map[string]string) - + var engineResponse *response.EngineResponse policyWithNamespaceSelector := false for _, p := range policy.Spec.Rules { if p.MatchResources.ResourceDescription.NamespaceSelector != nil || @@ -547,7 +547,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst resourceNamespace := resource.GetNamespace() namespaceLabels = namespaceSelectorMap[resource.GetNamespace()] if resourceNamespace != "default" && len(namespaceLabels) < 1 { - return &response.EngineResponse{}, policyreport.Info{}, sanitizederror.NewWithError(fmt.Sprintf("failed to get namesapce labels for resource %s. use --values-file flag to pass the namespace labels", resource.GetName()), nil) + return engineResponse, policyreport.Info{}, sanitizederror.NewWithError(fmt.Sprintf("failed to get namesapce labels for resource %s. use --values-file flag to pass the namespace labels", resource.GetName()), nil) } } @@ -575,10 +575,14 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst } mutateResponse := engine.Mutate(&engine.PolicyContext{Policy: *policy, NewResource: *resource, JSONContext: ctx, NamespaceLabels: namespaceLabels}) - err = processMutateEngineResponse(policy, mutateResponse, resPath, rc, mutateLogPath, stdin, mutateLogPathIsDir, resource.GetName()) + + if mutateResponse != nil { + engineResponse = mutateResponse + } + err = processMutateEngineResponse(policy, mutateResponse, resPath, rc, mutateLogPath, stdin, mutateLogPathIsDir, resource.GetName(), printPatchResource) if err != nil { if !sanitizederror.IsErrorSanitized(err) { - return &response.EngineResponse{}, policyreport.Info{}, sanitizederror.NewWithError("failed to print mutated result", err) + return engineResponse, policyreport.Info{}, sanitizederror.NewWithError("failed to print mutated result", err) } } @@ -604,6 +608,9 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst validateResponse = engine.Validate(policyCtx) info = ProcessValidateEngineResponse(policy, validateResponse, resPath, rc, policyReport) } + if validateResponse != nil { + engineResponse = validateResponse + } var policyHasGenerate bool for _, rule := range policy.Spec.Rules { @@ -624,10 +631,13 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst NamespaceLabels: namespaceLabels, } generateResponse := engine.Generate(policyContext) + if validateResponse != nil { + engineResponse = generateResponse + } processGenerateEngineResponse(policy, generateResponse, resPath, rc) } - return validateResponse, info, nil + return engineResponse, info, nil } // PrintMutatedOutput - function to print output in provided file or directory @@ -876,7 +886,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string return variables } -func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *response.EngineResponse, resPath string, rc *ResultCounts, mutateLogPath string, stdin bool, mutateLogPathIsDir bool, resourceName string) error { +func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *response.EngineResponse, resPath string, rc *ResultCounts, mutateLogPath string, stdin bool, mutateLogPathIsDir bool, resourceName string, printPatchResource bool) error { var policyHasMutate bool for _, rule := range policy.Spec.Rules { if rule.HasMutate() { @@ -922,11 +932,12 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo if mutateLogPath == "" { mutatedResource := string(yamlEncodedResource) + string("\n---") if len(strings.TrimSpace(mutatedResource)) > 0 { - if !stdin { + if !stdin && printPatchResource { fmt.Printf("\nmutate policy %s applied to %s:", policy.Name, resPath) } - fmt.Printf("\n" + mutatedResource) - fmt.Printf("\n") + if printPatchResource { + fmt.Printf("\n" + mutatedResource) + } } } else { err := PrintMutatedOutput(mutateLogPath, mutateLogPathIsDir, string(yamlEncodedResource), resourceName+"-mutated") @@ -993,3 +1004,31 @@ func GetKindsFromPolicy(policy *v1.ClusterPolicy) map[string]struct{} { } return kindOnwhichPolicyIsApplied } + +//GetPatchedResourceFromPath - get patchedResource from given path +func GetPatchedResourceFromPath(fs billy.Filesystem, path string, isGit bool, policyResourcePath string) (unstructured.Unstructured, error) { + var patchedResourceBytes []byte + var patchedResource unstructured.Unstructured + var err error + if isGit { + if len(path) > 0 { + filep, err := fs.Open(filepath.Join(policyResourcePath, path)) + if err != nil { + fmt.Printf("Unable to open patchedResource file: %s. \nerror: %s", path, err) + } + patchedResourceBytes, err = ioutil.ReadAll(filep) + } + } else { + patchedResourceBytes, err = getFileBytes(path) + + } + if err != nil { + fmt.Printf("\n----------------------------------------------------------------------\nfailed to load patchedResource: %s. \nerror: %s\n----------------------------------------------------------------------\n", path, err) + return patchedResource, err + } + patchedResource, err = GetPatchedResource(patchedResourceBytes) + if err != nil { + return patchedResource, err + } + return patchedResource, nil +} diff --git a/pkg/kyverno/common/common_test.go b/pkg/kyverno/common/common_test.go index 4a8f02126d..d34b65839f 100644 --- a/pkg/kyverno/common/common_test.go +++ b/pkg/kyverno/common/common_test.go @@ -98,7 +98,7 @@ func Test_NamespaceSelector(t *testing.T) { for _, tc := range testcases { policyArray, _ := ut.GetPolicy(tc.policy) resourceArray, _ := GetResource(tc.resource) - ApplyPolicyOnResource(policyArray[0], resourceArray[0], "", false, nil, false, tc.namespaceSelectorMap, false, rc) + ApplyPolicyOnResource(policyArray[0], resourceArray[0], "", false, nil, false, tc.namespaceSelectorMap, false, rc, false) assert.Assert(t, int64(rc.Pass) == int64(tc.result.Pass)) assert.Assert(t, int64(rc.Fail) == int64(tc.result.Fail)) assert.Assert(t, int64(rc.Skip) == int64(tc.result.Skip)) diff --git a/pkg/kyverno/common/fetch.go b/pkg/kyverno/common/fetch.go index 2958b734fd..f067610e3d 100644 --- a/pkg/kyverno/common/fetch.go +++ b/pkg/kyverno/common/fetch.go @@ -275,6 +275,14 @@ func convertResourceToUnstructured(resourceYaml []byte) (*unstructured.Unstructu return resource, nil } +// GetPatchedResource converts raw bytes to unstructured object +func GetPatchedResource(patchResourceBytes []byte) (patchedResource unstructured.Unstructured, err error) { + getPatchedResource, err := GetResource(patchResourceBytes) + patchedResource = *getPatchedResource[0] + + return patchedResource, nil +} + // getKindsFromPolicy will return the kinds from policy match block func getKindsFromPolicy(rule v1.Rule) map[string]bool { var resourceTypesMap = make(map[string]bool) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 3518745e76..c6e900f94b 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -7,6 +7,7 @@ import ( "net/url" "os" "path/filepath" + "regexp" "sort" "strings" "time" @@ -14,11 +15,13 @@ import ( "github.com/fatih/color" "github.com/go-git/go-billy/v5" "github.com/go-git/go-billy/v5/memfs" + "github.com/go-logr/logr" "github.com/kataras/tablewriter" report "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha2" client "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/engine/utils" + "github.com/kyverno/kyverno/pkg/generate" "github.com/kyverno/kyverno/pkg/kyverno/common" sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError" "github.com/kyverno/kyverno/pkg/kyverno/store" @@ -30,17 +33,105 @@ import ( "github.com/spf13/cobra" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/yaml" log "sigs.k8s.io/controller-runtime/pkg/log" ) +var longHelp = ` +Test command provides a facility to test policies on resources. For that, user needs to provide the path of the folder containing test.yaml file. + + kyverno test /path/to/folderContaningTestYamls + or + kyverno test /path/to/githubRepository + +The test.yaml file is configuration file for test command. It consists of 4 parts:- + "policies" (required) --> element lists one or more path of policies + "resources" (required) --> element lists one or more path of resources. + "variables" (optional) --> element with one variables files + "results" (required) --> element lists one more expected result. +` +var exampleHelp = ` +For Validate Policy + test.yaml + +- name: test-1 + policies: + - + - + resources: + - + - + results: + - policy: + rule: + resource: + namespace: (OPTIONAL) + kind: + result: + +For more visit --> https://kyverno.io/docs/kyverno-cli/#test + + +For Mutate Policy +1) Policy (Namespaced-policy) + + test.yaml + +- name: test-1 + policies: + - + - + resources: + - + - + results: + - policy: / + rule: + resource: + namespace: (OPTIONAL) + patchedResource: + kind: + result: + + +2) ClusterPolicy(cluster-wide policy) + + test.yaml + +- name: test-1 + policies: + - + - + resources: + - + - + results: + - policy: + rule: + resource: + namespace: (OPTIONAL) + kind: + patchedResource: + result: + +NOTE:- +In the results section, policy(if ClusterPolicy) or /(if Policy), rule, resource, kind and result are mandatory fields for all type of policy. + +pass --> patched Resource generated from engine equals to patched Resource provided by the user. +fail --> patched Resource generated from engine is not equals to patched provided by the user. +skip --> rule is not applied. +` + // Command returns version command func Command() *cobra.Command { var cmd *cobra.Command var valuesFile, fileName string cmd = &cobra.Command{ - Use: "test", - Short: "run tests from directory", + Use: "test", + Short: "run tests from directory", + Long: longHelp, + Example: exampleHelp, RunE: func(cmd *cobra.Command, dirPath []string) (err error) { defer func() { if err != nil { @@ -76,6 +167,9 @@ type TestResults struct { Result report.PolicyResult `json:"result"` Status report.PolicyResult `json:"status"` Resource string `json:"resource"` + Kind string `json:"kind"` + Namespace string `json:"namespace"` + PatchedResource string `json:"patchedResource"` AutoGeneratedRule string `json:"auto_generated_rule"` } @@ -235,19 +329,21 @@ func getLocalDirTestFiles(fs billy.Filesystem, path, fileName, valuesFile string return errors } -func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResults, infos []policyreport.Info) (map[string]report.PolicyReportResult, []TestResults) { +func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResults, infos []policyreport.Info, policyResourcePath string, fs billy.Filesystem, isGit bool) (map[string]report.PolicyReportResult, []TestResults) { results := make(map[string]report.PolicyReportResult) now := metav1.Timestamp{Seconds: time.Now().Unix()} for _, resp := range resps { policyName := resp.PolicyResponse.Policy.Name resourceName := resp.PolicyResponse.Resource.Name + resourceKind := resp.PolicyResponse.Resource.Kind + resourceNamespace := resp.PolicyResponse.Resource.Namespace + policyNamespace := resp.PolicyResponse.Policy.Namespace var rules []string for _, rule := range resp.PolicyResponse.Rules { rules = append(rules, rule.Name) } - result := report.PolicyReportResult{ Policy: policyName, Resources: []*corev1.ObjectReference{ @@ -256,9 +352,19 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu }, }, } - + var patcheResourcePath []string for i, test := range testResults { + var userDefinedPolicyNamespace string + var userDefinedPolicyName string + found, _ := isNamespacedPolicy(test.Policy) + if found { + userDefinedPolicyNamespace, userDefinedPolicyName = getUserDefinedPolicyNameAndNamespace(test.Policy) + test.Policy = userDefinedPolicyName + } + if test.Policy == policyName && test.Resource == resourceName { + var resultsKey string + resultsKey = GetResultKeyAccordingToTestResults(userDefinedPolicyNamespace, test.Policy, test.Rule, test.Namespace, test.Kind, test.Resource) if !util.ContainsString(rules, test.Rule) { if !util.ContainsString(rules, "autogen-"+test.Rule) { if !util.ContainsString(rules, "autogen-cronjob-"+test.Rule) { @@ -266,18 +372,55 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu } else { testResults[i].AutoGeneratedRule = "autogen-cronjob" test.Rule = "autogen-cronjob-" + test.Rule + resultsKey = GetResultKeyAccordingToTestResults(userDefinedPolicyNamespace, test.Policy, test.Rule, test.Namespace, test.Kind, test.Resource) } } else { testResults[i].AutoGeneratedRule = "autogen" test.Rule = "autogen-" + test.Rule + resultsKey = GetResultKeyAccordingToTestResults(userDefinedPolicyNamespace, test.Policy, test.Rule, test.Namespace, test.Kind, test.Resource) + } + if results[resultsKey].Result == "" { + result.Result = report.StatusSkip + results[resultsKey] = result } } - resultsKey := fmt.Sprintf("%s-%s-%s", test.Policy, test.Rule, test.Resource) + patcheResourcePath = append(patcheResourcePath, test.PatchedResource) + if _, ok := results[resultsKey]; !ok { results[resultsKey] = result } } + + } + + for _, rule := range resp.PolicyResponse.Rules { + if rule.Type != utils.Mutation.String() { + continue + } + var resultsKey []string + var resultKey string + + var result report.PolicyReportResult + resultsKey = GetAllPossibleResultsKey(policyNamespace, policyName, rule.Name, resourceNamespace, resourceKind, resourceName) + for _, resultK := range resultsKey { + if val, ok := results[resultK]; ok { + result = val + resultKey = resultK + } else { + continue + } + var x string + for _, path := range patcheResourcePath { + result.Result = report.StatusFail + x = getAndComparePatchedResource(path, resp.PatchedResource, isGit, policyResourcePath, fs) + if x == "pass" { + result.Result = report.StatusPass + break + } + } + results[resultKey] = result + } } } @@ -289,18 +432,23 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu } var result report.PolicyReportResult - resultsKey := fmt.Sprintf("%s-%s-%s", info.PolicyName, rule.Name, infoResult.Resource.Name) - if val, ok := results[resultsKey]; ok { - result = val - } else { - continue + var resultsKey []string + var resultKey string + resultsKey = GetAllPossibleResultsKey("", info.PolicyName, rule.Name, infoResult.Resource.Namespace, infoResult.Resource.Kind, infoResult.Resource.Name) + for _, resultK := range resultsKey { + if val, ok := results[resultK]; ok { + result = val + resultKey = resultK + } else { + continue + } } result.Rule = rule.Name result.Result = report.PolicyResult(rule.Check) result.Source = policyreport.SourceValue result.Timestamp = now - results[resultsKey] = result + results[resultKey] = result } } } @@ -308,20 +456,89 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu return results, testResults } -func getPolicyResourceFullPath(path []string, policyResourcePath string, isGit bool) []string { +func GetAllPossibleResultsKey(policyNamespace, policy, rule, namespace, kind, resource string) []string { + var resultsKey []string + resultKey1 := fmt.Sprintf("%s-%s-%s-%s", policy, rule, kind, resource) + resultKey2 := fmt.Sprintf("%s-%s-%s-%s-%s", policy, rule, namespace, kind, resource) + resultKey3 := fmt.Sprintf("%s-%s-%s-%s-%s", policyNamespace, policy, rule, kind, resource) + resultKey4 := fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNamespace, policy, rule, namespace, kind, resource) + resultsKey = append(resultsKey, resultKey1, resultKey2, resultKey3, resultKey4) + return resultsKey +} + +func GetResultKeyAccordingToTestResults(policyNs, policy, rule, namespace, kind, resource string) string { + var resultKey string + resultKey = fmt.Sprintf("%s-%s-%s-%s", policy, rule, kind, resource) + + if namespace != "" || policyNs != "" { + if policyNs != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", policyNs, policy, rule, kind, resource) + if namespace != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNs, policy, rule, namespace, kind, resource) + } + } else { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", policy, rule, namespace, kind, resource) + } + } + return resultKey +} + +func isNamespacedPolicy(policyNames string) (bool, error) { + return regexp.MatchString("^[a-z]*/[a-z]*", policyNames) +} + +func getUserDefinedPolicyNameAndNamespace(policyName string) (string, string) { + policy := policyName + policy_n_ns := strings.Split(policyName, "/") + namespace := policy_n_ns[0] + policy = policy_n_ns[1] + return namespace, policy +} + +// getAndComparePatchedResource --> Get the patchedResource from the path provided by user +// And compare this patchedResource with engine generated patcheResource. +func getAndComparePatchedResource(path string, enginePatchedResource unstructured.Unstructured, isGit bool, policyResourcePath string, fs billy.Filesystem) string { + var status string + patchedResources, err := common.GetPatchedResourceFromPath(fs, path, isGit, policyResourcePath) + if err != nil { + os.Exit(1) + } + var log logr.Logger + matched, err := generate.ValidateResourceWithPattern(log, enginePatchedResource.UnstructuredContent(), patchedResources.UnstructuredContent()) + + if err != nil { + status = "fail" + } + if matched == "" { + status = "pass" + } + return status +} + +func getPolicyResourceFullPaths(path []string, policyResourcePath string, isGit bool) []string { var pol []string if !isGit { for _, p := range path { - pol = append(pol, filepath.Join(policyResourcePath, p)) + pol = append(pol, getPolicyResourceFullPath(p, policyResourcePath, isGit)) } return pol } return path } +func getPolicyResourceFullPath(path string, policyResourcePath string, isGit bool) string { + var pol string + if !isGit { + pol = filepath.Join(policyResourcePath, path) + + return pol + } + return path +} + func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile string, isGit bool, policyResourcePath string, rc *resultCounts) (err error) { openAPIController, err := openapi.NewOpenAPIController() - validateEngineResponses := make([]*response.EngineResponse, 0) + engineResponses := make([]*response.EngineResponse, 0) var dClient *client.Client values := &Test{} var variablesString string @@ -343,9 +560,15 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s return err } - fullPolicyPath := getPolicyResourceFullPath(values.Policies, policyResourcePath, isGit) - fullResourcePath := getPolicyResourceFullPath(values.Resources, policyResourcePath, isGit) + fullPolicyPath := getPolicyResourceFullPaths(values.Policies, policyResourcePath, isGit) + fullResourcePath := getPolicyResourceFullPaths(values.Resources, policyResourcePath, isGit) + for i, result := range values.Results { + var a []string + a = append(a, result.PatchedResource) + a = getPolicyResourceFullPaths(a, policyResourcePath, isGit) + values.Results[i].PatchedResource = a[0] + } policies, err := common.GetPoliciesFromPaths(fs, fullPolicyPath, isGit, policyResourcePath) if err != nil { fmt.Printf("Error: failed to load policies\nCause: %s\n", err) @@ -411,16 +634,15 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s return sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.Name, resource.GetName()), err) } - validateErs, info, err := common.ApplyPolicyOnResource(policy, resource, "", false, thisPolicyResourceValues, true, namespaceSelectorMap, false, &resultCounts) + ers, info, err := common.ApplyPolicyOnResource(policy, resource, "", false, thisPolicyResourceValues, true, namespaceSelectorMap, false, &resultCounts, false) if err != nil { return sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) } - validateEngineResponses = append(validateEngineResponses, validateErs) + engineResponses = append(engineResponses, ers) pvInfos = append(pvInfos, info) } } - resultsMap, testResults := buildPolicyResults(validateEngineResponses, values.Results, pvInfos) - + resultsMap, testResults := buildPolicyResults(engineResponses, values.Results, pvInfos, policyResourcePath, fs, isGit) resultErr := printTestResult(resultsMap, testResults, rc) if resultErr != nil { return sanitizederror.NewWithError("Unable to genrate result. Error:", resultErr) @@ -440,17 +662,34 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T res.ID = i + 1 res.Policy = boldFgCyan.Sprintf(v.Policy) res.Rule = boldFgCyan.Sprintf(v.Rule) - res.Resource = boldFgCyan.Sprintf(v.Resource) - + namespace := "default" + if v.Namespace != "" { + namespace = v.Namespace + } + res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) var ruleNameInResultKey string if v.AutoGeneratedRule != "" { ruleNameInResultKey = fmt.Sprintf("%s-%s", v.AutoGeneratedRule, v.Rule) } else { ruleNameInResultKey = v.Rule } - - resultKey := fmt.Sprintf("%s-%s-%s", v.Policy, ruleNameInResultKey, v.Resource) - + resultKey := fmt.Sprintf("%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Kind, v.Resource) + found, _ := isNamespacedPolicy(v.Policy) + if found || v.Namespace != "" { + if found { + var ns string + ns, v.Policy = getUserDefinedPolicyNameAndNamespace(v.Policy) + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Kind, v.Resource) + res.Policy = boldFgCyan.Sprintf(ns) + "/" + boldFgCyan.Sprintf(v.Policy) + res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) + if v.Namespace != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) + } + } else { + res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) + } + } var testRes report.PolicyReportResult if val, ok := resps[resultKey]; ok { testRes = val @@ -465,7 +704,7 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T } if testRes.Result == v.Result { if testRes.Result == report.StatusSkip { - res.Result = boldGreen.Sprintf("Pass") + res.Result = boldYellow.Sprintf("Skip") rc.Skip++ } else { res.Result = boldGreen.Sprintf("Pass") @@ -487,6 +726,7 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T } printer.HeaderBgColor = tablewriter.BgBlackColor printer.HeaderFgColor = tablewriter.FgGreenColor + fmt.Printf("\n") printer.Print(table) return nil } diff --git a/pkg/utils/loadpolicy.go b/pkg/utils/loadpolicy.go index 58f39934e8..6a621b7ad1 100644 --- a/pkg/utils/loadpolicy.go +++ b/pkg/utils/loadpolicy.go @@ -40,6 +40,12 @@ func GetPolicy(bytes []byte) (clusterPolicies []*v1.ClusterPolicy, err error) { return nil, fmt.Errorf(msg) } + if (policy.Namespace != "" || policy.Namespace == "") && policy.Kind == "Policy" { + if policy.Namespace == "" { + policy.Namespace = "default" + } + policy.Kind = "ClusterPolicy" + } clusterPolicies = append(clusterPolicies, policy) } diff --git a/test/cli/test-fail/missing-policy/test.yaml b/test/cli/test-fail/missing-policy/test.yaml index f177943769..3341796829 100644 --- a/test/cli/test-fail/missing-policy/test.yaml +++ b/test/cli/test-fail/missing-policy/test.yaml @@ -7,4 +7,5 @@ results: - policy: missing rule: validate-image-tag resource: test + kind: Pod result: pass diff --git a/test/cli/test-fail/missing-resource/test.yaml b/test/cli/test-fail/missing-resource/test.yaml index 5a3d42ede7..3b4eb9ce3f 100644 --- a/test/cli/test-fail/missing-resource/test.yaml +++ b/test/cli/test-fail/missing-resource/test.yaml @@ -7,4 +7,5 @@ results: - policy: disallow-latest-tag rule: validate-image-tag resource: missing + kind: Pod result: pass diff --git a/test/cli/test-fail/missing-rule/test.yaml b/test/cli/test-fail/missing-rule/test.yaml index 78b6f68665..c2bea69460 100644 --- a/test/cli/test-fail/missing-rule/test.yaml +++ b/test/cli/test-fail/missing-rule/test.yaml @@ -7,4 +7,5 @@ results: - policy: disallow-latest-tag rule: missing resource: test + kind: Pod status: pass diff --git a/test/cli/test-mutate/patchedResource1.yaml b/test/cli/test-mutate/patchedResource1.yaml new file mode 100644 index 0000000000..72e56c98eb --- /dev/null +++ b/test/cli/test-mutate/patchedResource1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + color: orange + name: resource-equal-to-patch-res-for-cp + namespace: practice +spec: + containers: + - image: nginx:latest + name: nginx + dnsConfig: + options: + - name: ndots + value: "1" \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource10.yaml b/test/cli/test-mutate/patchedResource10.yaml new file mode 100644 index 0000000000..5c150b393f --- /dev/null +++ b/test/cli/test-mutate/patchedResource10.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + dnsConfig: + options: + - name: ndots + value: "1" diff --git a/test/cli/test-mutate/patchedResource11.yaml b/test/cli/test-mutate/patchedResource11.yaml new file mode 100644 index 0000000000..9b6e986d6c --- /dev/null +++ b/test/cli/test-mutate/patchedResource11.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-kind + labels: + foo: bar +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource2.yaml b/test/cli/test-mutate/patchedResource2.yaml new file mode 100644 index 0000000000..e9dda00052 --- /dev/null +++ b/test/cli/test-mutate/patchedResource2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-namespace + labels: + foo: bar + color: orange + namespace: testing +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource3.yaml b/test/cli/test-mutate/patchedResource3.yaml new file mode 100644 index 0000000000..195ab624ca --- /dev/null +++ b/test/cli/test-mutate/patchedResource3.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-namespace + labels: + foo: bar + color: orange + namespace: production +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource4.yaml b/test/cli/test-mutate/patchedResource4.yaml new file mode 100644 index 0000000000..86f051a2b6 --- /dev/null +++ b/test/cli/test-mutate/patchedResource4.yaml @@ -0,0 +1,23 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: mydeploy +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + color: orange + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 + diff --git a/test/cli/test-mutate/patchedResource5.yaml b/test/cli/test-mutate/patchedResource5.yaml new file mode 100644 index 0000000000..851afeef1a --- /dev/null +++ b/test/cli/test-mutate/patchedResource5.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: same-name-but-diff-kind +spec: + selector: + app: MyApp + ports: + - port: 80 + targetPort: 80 + nodePort: 30007 + type: NodePort \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource6.yaml b/test/cli/test-mutate/patchedResource6.yaml new file mode 100644 index 0000000000..29a7c205a4 --- /dev/null +++ b/test/cli/test-mutate/patchedResource6.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-kind + labels: + foo: bar + color: orange +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource7.yaml b/test/cli/test-mutate/patchedResource7.yaml new file mode 100644 index 0000000000..6691ff130f --- /dev/null +++ b/test/cli/test-mutate/patchedResource7.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + color: orange + name: resource-equal-to-patch-res-for-cp + namespace: practice +spec: + containers: + - image: nginx:latest + name: nginx + dnsConfig: + options: + - name: ndots + value: "1" diff --git a/test/cli/test-mutate/patchedResource8.yaml b/test/cli/test-mutate/patchedResource8.yaml new file mode 100644 index 0000000000..4754a1f6b2 --- /dev/null +++ b/test/cli/test-mutate/patchedResource8.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + name: same-name-but-diff-namespace + namespace: testing +spec: + containers: + - image: nginx:latest + name: nginx + dnsConfig: + options: + - name: ndots + value: "1" \ No newline at end of file diff --git a/test/cli/test-mutate/patchedResource9.yaml b/test/cli/test-mutate/patchedResource9.yaml new file mode 100644 index 0000000000..7605238a09 --- /dev/null +++ b/test/cli/test-mutate/patchedResource9.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-namespace + labels: + foo: bar + namespace: production +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file diff --git a/test/cli/test-mutate/policy.yaml b/test/cli/test-mutate/policy.yaml new file mode 100644 index 0000000000..1d9050b7e3 --- /dev/null +++ b/test/cli/test-mutate/policy.yaml @@ -0,0 +1,62 @@ +# Below there are both type of olicies: ClusterPolicy and Policy(Namespaced-Policy) + +#ClusterPolicy +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-label + annotations: + policies.kyverno.io/title: Add nodeSelector + policies.kyverno.io/category: Sample + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Labels are used as an important source of metadata describing objects in various ways + or triggering other functionality. Labels are also a very basic concept and should be + used throughout Kubernetes. This policy performs a simple mutation which adds a label + `color=orange` to Pods, Services, ConfigMaps, and Secrets. +spec: + background: false + validationFailureAction: + rules: + - name: add-label + match: + resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + metadata: + labels: + color: orange + +--- + +# Policy ( In testing namespace ) +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: add-ndots + namespace: testing + annotations: + policies.kyverno.io/title: Add ndots + policies.kyverno.io/category: Sample + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The ndots value controls where DNS lookups are first performed in a cluster + and needs to be set to a lower value than the default of 5 in some cases. + This policy mutates all Pods to add the ndots option with a value of 1. +spec: + background: false + rules: + - name: add-ndots + match: + resources: + kinds: + - Pod + mutate: + patchStrategicMerge: + spec: + dnsConfig: + options: + - name: ndots + value: "1" \ No newline at end of file diff --git a/test/cli/test-mutate/resource.yaml b/test/cli/test-mutate/resource.yaml new file mode 100644 index 0000000000..b66186af9e --- /dev/null +++ b/test/cli/test-mutate/resource.yaml @@ -0,0 +1,100 @@ +# resource == patchedResource +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + color: orange + name: resource-equal-to-patch-res-for-cp + namespace: practice +spec: + containers: + - image: nginx:latest + name: nginx + +--- +# Resource with same name and diff. namespace +# Same namespace as namespaced-policy +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-namespace + labels: + foo: bar + namespace: testing +spec: + containers: + - name: nginx + image: nginx:latest + +--- +# Resource with same name and diff. namespace +# Namespace differ from namespaced-policy +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-namespace + labels: + foo: bar + namespace: production +spec: + containers: + - name: nginx + image: nginx:latest + +--- + +# Deployment in default namespace +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +--- + +# Resource (Service) with same name but different kind +apiVersion: v1 +kind: Service +metadata: + name: same-name-but-diff-kind +spec: + selector: + app: MyApp + ports: + - port: 80 + targetPort: 80 + nodePort: 30007 + type: NodePort + +--- + +# Resource (Pod) with same name but different kind +apiVersion: v1 +kind: Pod +metadata: + name: same-name-but-diff-kind + labels: + foo: bar +spec: + containers: + - name: nginx + image: nginx:latest + + diff --git a/test/cli/test-mutate/test.yaml b/test/cli/test-mutate/test.yaml new file mode 100644 index 0000000000..0b8925e206 --- /dev/null +++ b/test/cli/test-mutate/test.yaml @@ -0,0 +1,86 @@ +name: add-nodeselector +policies: + - policy.yaml +resources: + - resource.yaml +results: + - policy: add-label + rule: add-label + resource: resource-equal-to-patch-res-for-cp + patchedResource: patchedResource1.yaml + kind: Pod + namespace: practice + result: skip + - policy: add-label + rule: add-label + resource: same-name-but-diff-namespace + patchedResource: patchedResource2.yaml + kind: Pod + namespace: testing + result: pass + - policy: add-label + rule: add-label + resource: same-name-but-diff-namespace + patchedResource: patchedResource3.yaml + kind: Pod + namespace: production + result: pass + - policy: add-label + rule: add-label + resource: mydeploy + patchedResource: patchedResource4.yaml + kind: Deployment + result: pass + - policy: add-label + rule: add-label + resource: same-name-but-diff-kind + patchedResource: patchedResource5.yaml + kind: Service + result: skip + - policy: add-label + rule: add-label + resource: same-name-but-diff-kind + patchedResource: patchedResource6.yaml + kind: Pod + result: pass + + + - policy: testing/add-ndots + rule: add-ndots + resource: resource-equal-to-patch-res-for-cp + namespace: practice + patchedResource: patchedResource7.yaml + kind: Pod + result: skip + - policy: testing/add-ndots + rule: add-ndots + resource: same-name-but-diff-namespace + patchedResource: patchedResource8.yaml + namespace: testing + kind: Pod + result: pass + - policy: testing/add-ndots + rule: add-ndots + resource: same-name-but-diff-namespace + patchedResource: patchedResource9.yaml + kind: Pod + namespace: production + result: skip + - policy: testing/add-ndots + rule: add-ndots + resource: mydeploy + patchedResource: patchedResource10.yaml + kind: Deployment + result: skip + - policy: testing/add-ndots + rule: add-ndots + resource: same-name-but-diff-kind + patchedResource: patchedResource5.yaml + kind: Service + result: skip + - policy: testing/add-ndots + rule: add-ndots + resource: same-name-but-diff-kind + patchedResource: patchedResource11.yaml + kind: Pod + result: skip diff --git a/test/cli/test/autogen/test.yaml b/test/cli/test/autogen/test.yaml index d6bef7195f..bf19c8746f 100644 --- a/test/cli/test/autogen/test.yaml +++ b/test/cli/test/autogen/test.yaml @@ -7,46 +7,54 @@ results: - policy: require-common-labels rule: check-for-labels result: pass + kind: Pod resource: pod-with-labels # TEST: Pod Missing Labels Should Fail - policy: require-common-labels rule: check-for-labels result: fail + kind: Pod resource: pod-missing-labels # TEST: Deployment with Labels Should Pass - policy: require-common-labels rule: check-for-labels result: pass + kind: Deployment resource: deployment-with-labels # TEST: Deployment with Labels Should Fail - policy: require-common-labels rule: check-for-labels result: fail + kind: Deployment resource: deployment-missing-labels # TEST: StatefulSet with Labels Should Pass - policy: require-common-labels rule: check-for-labels result: pass + kind: StatefulSet resource: StatefulSet-with-labels # TEST: StatefulSet with Labels Should fail - policy: require-common-labels rule: check-for-labels result: fail + kind: StatefulSet resource: StatefulSet-without-labels # TEST: Cronjob with Labels Should pass - policy: require-common-labels rule: check-for-labels result: pass + kind: CronJob resource: cronjob-with-labels # TEST: Cronjob without Labels Should fail - policy: require-common-labels rule: check-for-labels result: fail + kind: CronJob resource: cronjob-without-labels diff --git a/test/cli/test/simple/test.yaml b/test/cli/test/simple/test.yaml index e5b6b01ec0..3abb5c2d47 100644 --- a/test/cli/test/simple/test.yaml +++ b/test/cli/test/simple/test.yaml @@ -7,20 +7,25 @@ results: - policy: disallow-latest-tag rule: require-image-tag resource: test-require-image-tag-pass + kind: Pod status: pass - policy: disallow-latest-tag rule: require-image-tag resource: test-require-image-tag-fail + kind: Pod status: fail - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-ignore + kind: Pod status: skip - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-fail + kind: Pod status: fail - policy: disallow-latest-tag rule: validate-image-tag resource: test-validate-image-tag-pass + kind: Pod status: pass diff --git a/test/cli/test/variables/test.yaml b/test/cli/test/variables/test.yaml index efb634a873..d29f364055 100644 --- a/test/cli/test/variables/test.yaml +++ b/test/cli/test/variables/test.yaml @@ -11,18 +11,22 @@ results: - policy: cm-variable-example rule: example-configmap-lookup resource: test-env-test + kind: Pod result: pass - policy: cm-variable-example rule: example-configmap-lookup resource: test-env-dev + kind: Pod result: fail - policy: cm-array-example rule: validate-role-annotation resource: test-web + kind: Pod result: fail - policy: cm-array-example rule: validate-role-annotation resource: test-app + kind: Pod result: pass - policy: cm-blk-scalar-example rule: validate-blk-role-annotation From f4e9543b40f52d2e0fd6f6f74d17810316f1cab0 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Fri, 1 Oct 2021 17:52:23 +0530 Subject: [PATCH 41/50] updated apply policy on resource function Signed-off-by: NoSkillGirl --- pkg/kyverno/common/common.go | 35 +++++++------- pkg/kyverno/test/test_command.go | 82 +++++++++++++------------------- 2 files changed, 51 insertions(+), 66 deletions(-) diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index bf5efb0842..2bff973825 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -524,16 +524,16 @@ func MutatePolices(policies []*v1.ClusterPolicy) ([]*v1.ClusterPolicy, error) { // ApplyPolicyOnResource - function to apply policy on resource func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured, - mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts, printPatchResource bool) (*response.EngineResponse, policyreport.Info, error) { + mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts, printPatchResource bool) ([]*response.EngineResponse, policyreport.Info, error) { + var engineResponses []*response.EngineResponse + namespaceLabels := make(map[string]string) operationIsDelete := false if variables["request.operation"] == "DELETE" { operationIsDelete = true } - namespaceLabels := make(map[string]string) - var engineResponse *response.EngineResponse policyWithNamespaceSelector := false for _, p := range policy.Spec.Rules { if p.MatchResources.ResourceDescription.NamespaceSelector != nil || @@ -547,7 +547,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst resourceNamespace := resource.GetNamespace() namespaceLabels = namespaceSelectorMap[resource.GetNamespace()] if resourceNamespace != "default" && len(namespaceLabels) < 1 { - return engineResponse, policyreport.Info{}, sanitizederror.NewWithError(fmt.Sprintf("failed to get namesapce labels for resource %s. use --values-file flag to pass the namespace labels", resource.GetName()), nil) + return engineResponses, policyreport.Info{}, sanitizederror.NewWithError(fmt.Sprintf("failed to get namesapce labels for resource %s. use --values-file flag to pass the namespace labels", resource.GetName()), nil) } } @@ -575,14 +575,14 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst } mutateResponse := engine.Mutate(&engine.PolicyContext{Policy: *policy, NewResource: *resource, JSONContext: ctx, NamespaceLabels: namespaceLabels}) - if mutateResponse != nil { - engineResponse = mutateResponse + engineResponses = append(engineResponses, mutateResponse) } + err = processMutateEngineResponse(policy, mutateResponse, resPath, rc, mutateLogPath, stdin, mutateLogPathIsDir, resource.GetName(), printPatchResource) if err != nil { if !sanitizederror.IsErrorSanitized(err) { - return engineResponse, policyreport.Info{}, sanitizederror.NewWithError("failed to print mutated result", err) + return engineResponses, policyreport.Info{}, sanitizederror.NewWithError("failed to print mutated result", err) } } @@ -609,7 +609,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst info = ProcessValidateEngineResponse(policy, validateResponse, resPath, rc, policyReport) } if validateResponse != nil { - engineResponse = validateResponse + engineResponses = append(engineResponses, validateResponse) } var policyHasGenerate bool @@ -631,13 +631,13 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst NamespaceLabels: namespaceLabels, } generateResponse := engine.Generate(policyContext) - if validateResponse != nil { - engineResponse = generateResponse + if generateResponse != nil { + engineResponses = append(engineResponses, generateResponse) } processGenerateEngineResponse(policy, generateResponse, resPath, rc) } - return engineResponse, info, nil + return engineResponses, info, nil } // PrintMutatedOutput - function to print output in provided file or directory @@ -923,7 +923,7 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo } } - if printMutatedRes { + if printMutatedRes && printPatchResource { yamlEncodedResource, err := yamlv2.Marshal(mutateResponse.PatchedResource.Object) if err != nil { return sanitizederror.NewWithError("failed to marshal", err) @@ -932,12 +932,10 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo if mutateLogPath == "" { mutatedResource := string(yamlEncodedResource) + string("\n---") if len(strings.TrimSpace(mutatedResource)) > 0 { - if !stdin && printPatchResource { + if !stdin { fmt.Printf("\nmutate policy %s applied to %s:", policy.Name, resPath) } - if printPatchResource { - fmt.Printf("\n" + mutatedResource) - } + fmt.Printf("\n" + mutatedResource + "\n") } } else { err := PrintMutatedOutput(mutateLogPath, mutateLogPathIsDir, string(yamlEncodedResource), resourceName+"-mutated") @@ -1010,6 +1008,7 @@ func GetPatchedResourceFromPath(fs billy.Filesystem, path string, isGit bool, po var patchedResourceBytes []byte var patchedResource unstructured.Unstructured var err error + if isGit { if len(path) > 0 { filep, err := fs.Open(filepath.Join(policyResourcePath, path)) @@ -1020,15 +1019,17 @@ func GetPatchedResourceFromPath(fs billy.Filesystem, path string, isGit bool, po } } else { patchedResourceBytes, err = getFileBytes(path) - } + if err != nil { fmt.Printf("\n----------------------------------------------------------------------\nfailed to load patchedResource: %s. \nerror: %s\n----------------------------------------------------------------------\n", path, err) return patchedResource, err } + patchedResource, err = GetPatchedResource(patchedResourceBytes) if err != nil { return patchedResource, err } + return patchedResource, nil } diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index c6e900f94b..79ad10d4bb 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -39,22 +39,22 @@ import ( ) var longHelp = ` -Test command provides a facility to test policies on resources. For that, user needs to provide the path of the folder containing test.yaml file. +Test command provides a facility to test policies on resources. User should provide the path of the folder containing test.yaml file. - kyverno test /path/to/folderContaningTestYamls + kyverno test or - kyverno test /path/to/githubRepository + kyverno test -The test.yaml file is configuration file for test command. It consists of 4 parts:- - "policies" (required) --> element lists one or more path of policies - "resources" (required) --> element lists one or more path of resources. - "variables" (optional) --> element with one variables files - "results" (required) --> element lists one more expected result. +The test.yaml have 4 parts: + "policies" --> list of policies which are applied + "resources" --> list of resources on which the policies are applied + "variables" --> variable file path (this is an optinal parameter) + "results" --> list of result expected on applying the policies on the resources ` var exampleHelp = ` -For Validate Policy - test.yaml +test.yaml format: +For Validate Policy - name: test-1 policies: - @@ -70,14 +70,10 @@ For Validate Policy kind: result: -For more visit --> https://kyverno.io/docs/kyverno-cli/#test +For Mutate Policy -For Mutate Policy 1) Policy (Namespaced-policy) - - test.yaml - - name: test-1 policies: - @@ -90,15 +86,11 @@ For Mutate Policy rule: resource: namespace: (OPTIONAL) + kind: patchedResource: - kind: result: - -2) ClusterPolicy(cluster-wide policy) - - test.yaml - +2) ClusterPolicy(Cluster-wide policy) - name: test-1 policies: - @@ -115,12 +107,12 @@ For Mutate Policy patchedResource: result: -NOTE:- -In the results section, policy(if ClusterPolicy) or /(if Policy), rule, resource, kind and result are mandatory fields for all type of policy. - +Result description: pass --> patched Resource generated from engine equals to patched Resource provided by the user. fail --> patched Resource generated from engine is not equals to patched provided by the user. skip --> rule is not applied. + +For more visit --> https://kyverno.io/docs/kyverno-cli/#test ` // Command returns version command @@ -515,25 +507,17 @@ func getAndComparePatchedResource(path string, enginePatchedResource unstructure return status } -func getPolicyResourceFullPaths(path []string, policyResourcePath string, isGit bool) []string { - var pol []string - if !isGit { - for _, p := range path { - pol = append(pol, getPolicyResourceFullPath(p, policyResourcePath, isGit)) - } - return pol - } - return path -} - -func getPolicyResourceFullPath(path string, policyResourcePath string, isGit bool) string { +func getFullPath(paths []string, policyResourcePath string, isGit bool) []string { + var pols []string var pol string if !isGit { - pol = filepath.Join(policyResourcePath, path) - - return pol + for _, path := range paths { + pol = filepath.Join(policyResourcePath, path) + pols = append(pols, pol) + } + return pols } - return path + return paths } func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile string, isGit bool, policyResourcePath string, rc *resultCounts) (err error) { @@ -560,16 +544,16 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s return err } - fullPolicyPath := getPolicyResourceFullPaths(values.Policies, policyResourcePath, isGit) - fullResourcePath := getPolicyResourceFullPaths(values.Resources, policyResourcePath, isGit) + policyFullPath := getFullPath(values.Policies, policyResourcePath, isGit) + resourceFullPath := getFullPath(values.Resources, policyResourcePath, isGit) for i, result := range values.Results { - var a []string - a = append(a, result.PatchedResource) - a = getPolicyResourceFullPaths(a, policyResourcePath, isGit) - values.Results[i].PatchedResource = a[0] + arrPatchedResource := []string{result.PatchedResource} + patchedResourceFullPath := getFullPath(arrPatchedResource, policyResourcePath, isGit) + values.Results[i].PatchedResource = patchedResourceFullPath[0] } - policies, err := common.GetPoliciesFromPaths(fs, fullPolicyPath, isGit, policyResourcePath) + + policies, err := common.GetPoliciesFromPaths(fs, policyFullPath, isGit, policyResourcePath) if err != nil { fmt.Printf("Error: failed to load policies\nCause: %s\n", err) os.Exit(1) @@ -587,7 +571,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s return sanitizederror.NewWithError("failed to print mutated policy", err) } - resources, err := common.GetResourceAccordingToResourcePath(fs, fullResourcePath, false, mutatedPolicies, dClient, "", false, isGit, policyResourcePath) + resources, err := common.GetResourceAccordingToResourcePath(fs, resourceFullPath, false, mutatedPolicies, dClient, "", false, isGit, policyResourcePath) if err != nil { fmt.Printf("Error: failed to load resources\nCause: %s\n", err) os.Exit(1) @@ -638,7 +622,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s if err != nil { return sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) } - engineResponses = append(engineResponses, ers) + engineResponses = append(engineResponses, ers...) pvInfos = append(pvInfos, info) } } From 1bf48c54a8dce289fa9112e4ad2037b1274371c3 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Fri, 1 Oct 2021 22:43:21 +0530 Subject: [PATCH 42/50] improving if condition Signed-off-by: NoSkillGirl --- pkg/kyverno/test/test_command.go | 75 +++++++++++++++++++------------- pkg/utils/loadpolicy.go | 2 +- 2 files changed, 45 insertions(+), 32 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 79ad10d4bb..78bf41707d 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -336,6 +336,7 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu for _, rule := range resp.PolicyResponse.Rules { rules = append(rules, rule.Name) } + result := report.PolicyReportResult{ Policy: policyName, Resources: []*corev1.ObjectReference{ @@ -344,11 +345,17 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu }, }, } + var patcheResourcePath []string for i, test := range testResults { var userDefinedPolicyNamespace string var userDefinedPolicyName string - found, _ := isNamespacedPolicy(test.Policy) + found, err := isNamespacedPolicy(test.Policy) + if err != nil { + log.Log.V(3).Info("error while checking the policy is namespaced or not", "policy: ", test.Policy, "error: ", err) + continue + } + if found { userDefinedPolicyNamespace, userDefinedPolicyName = getUserDefinedPolicyNameAndNamespace(test.Policy) test.Policy = userDefinedPolicyName @@ -358,6 +365,7 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu var resultsKey string resultsKey = GetResultKeyAccordingToTestResults(userDefinedPolicyNamespace, test.Policy, test.Rule, test.Namespace, test.Kind, test.Resource) if !util.ContainsString(rules, test.Rule) { + if !util.ContainsString(rules, "autogen-"+test.Rule) { if !util.ContainsString(rules, "autogen-cronjob-"+test.Rule) { result.Result = report.StatusSkip @@ -371,6 +379,7 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu test.Rule = "autogen-" + test.Rule resultsKey = GetResultKeyAccordingToTestResults(userDefinedPolicyNamespace, test.Policy, test.Rule, test.Namespace, test.Kind, test.Resource) } + if results[resultsKey].Result == "" { result.Result = report.StatusSkip results[resultsKey] = result @@ -448,29 +457,26 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu return results, testResults } -func GetAllPossibleResultsKey(policyNamespace, policy, rule, namespace, kind, resource string) []string { +func GetAllPossibleResultsKey(policyNs, policy, rule, resourceNsnamespace, kind, resource string) []string { var resultsKey []string resultKey1 := fmt.Sprintf("%s-%s-%s-%s", policy, rule, kind, resource) - resultKey2 := fmt.Sprintf("%s-%s-%s-%s-%s", policy, rule, namespace, kind, resource) - resultKey3 := fmt.Sprintf("%s-%s-%s-%s-%s", policyNamespace, policy, rule, kind, resource) - resultKey4 := fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNamespace, policy, rule, namespace, kind, resource) + resultKey2 := fmt.Sprintf("%s-%s-%s-%s-%s", policy, rule, resourceNsnamespace, kind, resource) + resultKey3 := fmt.Sprintf("%s-%s-%s-%s-%s", policyNs, policy, rule, kind, resource) + resultKey4 := fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNs, policy, rule, resourceNsnamespace, kind, resource) resultsKey = append(resultsKey, resultKey1, resultKey2, resultKey3, resultKey4) return resultsKey } -func GetResultKeyAccordingToTestResults(policyNs, policy, rule, namespace, kind, resource string) string { +func GetResultKeyAccordingToTestResults(policyNs, policy, rule, resourceNs, kind, resource string) string { var resultKey string resultKey = fmt.Sprintf("%s-%s-%s-%s", policy, rule, kind, resource) - if namespace != "" || policyNs != "" { - if policyNs != "" { - resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", policyNs, policy, rule, kind, resource) - if namespace != "" { - resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNs, policy, rule, namespace, kind, resource) - } - } else { - resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", policy, rule, namespace, kind, resource) - } + if policyNs != "" && resourceNs != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNs, policy, rule, resourceNs, kind, resource) + } else if policyNs != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", policyNs, policy, rule, kind, resource) + } else if resourceNs != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", policy, rule, resourceNs, kind, resource) } return resultKey } @@ -480,10 +486,9 @@ func isNamespacedPolicy(policyNames string) (bool, error) { } func getUserDefinedPolicyNameAndNamespace(policyName string) (string, string) { - policy := policyName policy_n_ns := strings.Split(policyName, "/") namespace := policy_n_ns[0] - policy = policy_n_ns[1] + policy := policy_n_ns[1] return namespace, policy } @@ -641,15 +646,18 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T boldRed := color.New(color.FgRed).Add(color.Bold) boldYellow := color.New(color.FgYellow).Add(color.Bold) boldFgCyan := color.New(color.FgCyan).Add(color.Bold) + for i, v := range testResults { res := new(Table) res.ID = i + 1 res.Policy = boldFgCyan.Sprintf(v.Policy) res.Rule = boldFgCyan.Sprintf(v.Rule) + namespace := "default" if v.Namespace != "" { namespace = v.Namespace } + res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) var ruleNameInResultKey string if v.AutoGeneratedRule != "" { @@ -657,23 +665,23 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T } else { ruleNameInResultKey = v.Rule } + resultKey := fmt.Sprintf("%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Kind, v.Resource) found, _ := isNamespacedPolicy(v.Policy) - if found || v.Namespace != "" { - if found { - var ns string - ns, v.Policy = getUserDefinedPolicyNameAndNamespace(v.Policy) - resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Kind, v.Resource) - res.Policy = boldFgCyan.Sprintf(ns) + "/" + boldFgCyan.Sprintf(v.Policy) - res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) - if v.Namespace != "" { - resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) - } - } else { - res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) - resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) - } + + var ns string + ns, v.Policy = getUserDefinedPolicyNameAndNamespace(v.Policy) + if found && v.Namespace != "" { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) + } else if found { + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Kind, v.Resource) + res.Policy = boldFgCyan.Sprintf(ns) + "/" + boldFgCyan.Sprintf(v.Policy) + res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) + } else if v.Namespace != "" { + res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) + resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) } + var testRes report.PolicyReportResult if val, ok := resps[resultKey]; ok { testRes = val @@ -683,9 +691,11 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T table = append(table, res) continue } + if v.Result == "" && v.Status != "" { v.Result = v.Status } + if testRes.Result == v.Result { if testRes.Result == report.StatusSkip { res.Result = boldYellow.Sprintf("Skip") @@ -698,8 +708,10 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T res.Result = boldRed.Sprintf("Fail") rc.Fail++ } + table = append(table, res) } + printer.BorderTop, printer.BorderBottom, printer.BorderLeft, printer.BorderRight = true, true, true, true printer.CenterSeparator = "│" printer.ColumnSeparator = "│" @@ -708,6 +720,7 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T printer.RowLengthTitle = func(rowsLength int) bool { return rowsLength > 10 } + printer.HeaderBgColor = tablewriter.BgBlackColor printer.HeaderFgColor = tablewriter.FgGreenColor fmt.Printf("\n") diff --git a/pkg/utils/loadpolicy.go b/pkg/utils/loadpolicy.go index 6a621b7ad1..b5b10fc50b 100644 --- a/pkg/utils/loadpolicy.go +++ b/pkg/utils/loadpolicy.go @@ -40,7 +40,7 @@ func GetPolicy(bytes []byte) (clusterPolicies []*v1.ClusterPolicy, err error) { return nil, fmt.Errorf(msg) } - if (policy.Namespace != "" || policy.Namespace == "") && policy.Kind == "Policy" { + if policy.Namespace != "" || (policy.Namespace == "" && policy.Kind == "Policy") { if policy.Namespace == "" { policy.Namespace = "default" } From 7b94a7477ba7aca3c552a7b18727dd8a30288399 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Fri, 1 Oct 2021 22:54:10 +0530 Subject: [PATCH 43/50] panic fix Signed-off-by: NoSkillGirl --- pkg/kyverno/test/test_command.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 78bf41707d..a10a4cbe2c 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -486,10 +486,13 @@ func isNamespacedPolicy(policyNames string) (bool, error) { } func getUserDefinedPolicyNameAndNamespace(policyName string) (string, string) { - policy_n_ns := strings.Split(policyName, "/") - namespace := policy_n_ns[0] - policy := policy_n_ns[1] - return namespace, policy + if strings.Contains(policyName, "/") { + policy_n_ns := strings.Split(policyName, "/") + namespace := policy_n_ns[0] + policy := policy_n_ns[1] + return namespace, policy + } + return "", policyName } // getAndComparePatchedResource --> Get the patchedResource from the path provided by user From 8e0ac567e154c3813be2830db5a1edc3df20fe4c Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Mon, 4 Oct 2021 10:24:39 +0530 Subject: [PATCH 44/50] fixed test-validate-image-tag-ignore test case Signed-off-by: NoSkillGirl --- pkg/kyverno/test/test_command.go | 36 ++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index a10a4cbe2c..5535d5e09a 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -632,9 +632,17 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s } engineResponses = append(engineResponses, ers...) pvInfos = append(pvInfos, info) + // er, _ := json.Marshal(ers) + // fmt.Println("\nEngineResponses: ", string(er)) + // pvI, _ := json.Marshal(pvInfos) + // fmt.Println("\npvInfos: ", string(pvI)) } } resultsMap, testResults := buildPolicyResults(engineResponses, values.Results, pvInfos, policyResourcePath, fs, isGit) + // rm, _ := json.Marshal(resultsMap) + // fmt.Println("\nresultsMap: ", string(rm)) + // tr, _ := json.Marshal(testResults) + // fmt.Println("\ntestResults: ", string(tr)) resultErr := printTestResult(resultsMap, testResults, rc) if resultErr != nil { return sanitizederror.NewWithError("Unable to genrate result. Error:", resultErr) @@ -660,54 +668,78 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T if v.Namespace != "" { namespace = v.Namespace } + // fmt.Println("namespace: ", namespace) res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) + // fmt.Println("res.Resource: ", res.Resource) var ruleNameInResultKey string + if v.AutoGeneratedRule != "" { ruleNameInResultKey = fmt.Sprintf("%s-%s", v.AutoGeneratedRule, v.Rule) + // fmt.Println("v.AutoGeneratedRule....ruleNameInResultKey: ", ruleNameInResultKey) } else { ruleNameInResultKey = v.Rule + // fmt.Println("else.....ruleNameInResultKey: ", ruleNameInResultKey) } resultKey := fmt.Sprintf("%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Kind, v.Resource) found, _ := isNamespacedPolicy(v.Policy) + // fmt.Println("resultKey: ", resultKey) + // fmt.Println("found; ", found) var ns string + // fmt.Println("\nv.policy: ", v.Policy) ns, v.Policy = getUserDefinedPolicyNameAndNamespace(v.Policy) + // fmt.Println("nas: ", ns, "\nv.policy: ", v.Policy) + if found && v.Namespace != "" { resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) + // fmt.Println("1...\n resultKey: ", resultKey) } else if found { resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Kind, v.Resource) res.Policy = boldFgCyan.Sprintf(ns) + "/" + boldFgCyan.Sprintf(v.Policy) res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) + // fmt.Println("2...\n resultKey: ", resultKey) + // fmt.Println("res.Policy: ", res.Policy) + // fmt.Println("res.Resource: ", res.Resource) } else if v.Namespace != "" { res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) + // fmt.Println("3...\n resultKey: ", resultKey) + // fmt.Println("res.Resource: ", res.Resource) } var testRes report.PolicyReportResult if val, ok := resps[resultKey]; ok { testRes = val + // fmt.Println("1--- testRes: ", testRes) } else { res.Result = boldYellow.Sprintf("Not found") rc.Fail++ table = append(table, res) - continue + // fmt.Println("2--- ") + // continue } + // fmt.Println("v.Result: ", v.Result, " v.Status: ", v.Status) if v.Result == "" && v.Status != "" { v.Result = v.Status + // fmt.Println("......v.Result: ", v.Result) } + // fmt.Println("v.Result: ", v.Result, " testRes.Result: ", testRes.Result) if testRes.Result == v.Result { if testRes.Result == report.StatusSkip { - res.Result = boldYellow.Sprintf("Skip") + // fmt.Println("skip....") + res.Result = boldGreen.Sprintf("Pass") rc.Skip++ } else { + // fmt.Println("pass....") res.Result = boldGreen.Sprintf("Pass") rc.Pass++ } } else { + // fmt.Println("fail....") res.Result = boldRed.Sprintf("Fail") rc.Fail++ } From a2e106a87adc9a3016ca8f97758bd69db6b42bc5 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Mon, 4 Oct 2021 11:27:59 +0530 Subject: [PATCH 45/50] fixed global variable test cases Signed-off-by: NoSkillGirl --- pkg/kyverno/test/test_command.go | 10 ++++++++-- test/cli/test/variables/test.yaml | 4 ++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 5535d5e09a..9eed297f10 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -386,6 +386,8 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu } } + // fmt.Println("3*****resultsKey: ", resultsKey) + patcheResourcePath = append(patcheResourcePath, test.PatchedResource) if _, ok := results[resultsKey]; !ok { @@ -464,6 +466,7 @@ func GetAllPossibleResultsKey(policyNs, policy, rule, resourceNsnamespace, kind, resultKey3 := fmt.Sprintf("%s-%s-%s-%s-%s", policyNs, policy, rule, kind, resource) resultKey4 := fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNs, policy, rule, resourceNsnamespace, kind, resource) resultsKey = append(resultsKey, resultKey1, resultKey2, resultKey3, resultKey4) + // fmt.Println("resultsKey: ", resultsKey) return resultsKey } @@ -642,7 +645,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s // rm, _ := json.Marshal(resultsMap) // fmt.Println("\nresultsMap: ", string(rm)) // tr, _ := json.Marshal(testResults) - // fmt.Println("\ntestResults: ", string(tr)) + // fmt.Println("\testResults: ", string(tr)) resultErr := printTestResult(resultsMap, testResults, rc) if resultErr != nil { return sanitizederror.NewWithError("Unable to genrate result. Error:", resultErr) @@ -692,6 +695,8 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T ns, v.Policy = getUserDefinedPolicyNameAndNamespace(v.Policy) // fmt.Println("nas: ", ns, "\nv.policy: ", v.Policy) + // fmt.Println("found: ", found, " v.Namespace: ", v.Namespace) + // fmt.Println("1*******resultKey: ", resultKey) if found && v.Namespace != "" { resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) // fmt.Println("1...\n resultKey: ", resultKey) @@ -708,6 +713,7 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T // fmt.Println("3...\n resultKey: ", resultKey) // fmt.Println("res.Resource: ", res.Resource) } + // fmt.Println("2*******resultKey: ", resultKey) var testRes report.PolicyReportResult if val, ok := resps[resultKey]; ok { @@ -718,7 +724,7 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T rc.Fail++ table = append(table, res) // fmt.Println("2--- ") - // continue + continue } // fmt.Println("v.Result: ", v.Result, " v.Status: ", v.Status) diff --git a/test/cli/test/variables/test.yaml b/test/cli/test/variables/test.yaml index d29f364055..749ecd40ec 100644 --- a/test/cli/test/variables/test.yaml +++ b/test/cli/test/variables/test.yaml @@ -31,16 +31,20 @@ results: - policy: cm-blk-scalar-example rule: validate-blk-role-annotation resource: test-blk-web + kind: Pod result: fail - policy: cm-blk-scalar-example rule: validate-blk-role-annotation resource: test-blk-app + kind: Pod result: pass - policy: cm-globalval-example rule: validate-mode resource: test-global-dev + kind: Pod result: pass - policy: cm-globalval-example rule: validate-mode resource: test-global-prod + kind: Pod result: fail From 0614c2db1fa920f19b1a1f87e8485a1c9b5784c9 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Tue, 5 Oct 2021 12:39:58 +0530 Subject: [PATCH 46/50] fixed rule pointer Signed-off-by: NoSkillGirl --- pkg/engine/validation.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 1745fbadd3..3459ca7746 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -419,14 +419,14 @@ func isEmptyUnstructured(u *unstructured.Unstructured) bool { } // matches checks if either the new or old resource satisfies the filter conditions defined in the rule -func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool { - err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels, "") +func matches(logger logr.Logger, rule *kyverno.Rule, ctx *PolicyContext) bool { + err := MatchesResourceDescription(ctx.NewResource, *rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels, "") if err == nil { return true } if !reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) { - err := MatchesResourceDescription(ctx.OldResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels, "") + err := MatchesResourceDescription(ctx.OldResource, *rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels, "") if err == nil { return true } From 98f756fcddbd84b437a16fa5439bda4af37e1698 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Tue, 5 Oct 2021 12:42:23 +0530 Subject: [PATCH 47/50] change test case as master branch Signed-off-by: NoSkillGirl --- test/cli/test/autogen/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/cli/test/autogen/test.yaml b/test/cli/test/autogen/test.yaml index bf19c8746f..8a54d08ddb 100644 --- a/test/cli/test/autogen/test.yaml +++ b/test/cli/test/autogen/test.yaml @@ -27,7 +27,7 @@ results: # TEST: Deployment with Labels Should Fail - policy: require-common-labels rule: check-for-labels - result: fail + result: skip kind: Deployment resource: deployment-missing-labels From b10947b9750d09f8295b3c691feaf2ae42c47bab Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 5 Oct 2021 00:15:09 -0700 Subject: [PATCH 48/50] Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao * set default failure policy to fail if not defined Signed-off-by: ShutingZhao * resolve conflicts Signed-off-by: ShutingZhao * fix missing type for printerColumn Signed-off-by: ShutingZhao * refactor policy controller Signed-off-by: ShutingZhao * add webhook config manager Signed-off-by: ShutingZhao * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao * fix panic on policy update Signed-off-by: ShutingZhao * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao * handle wildcard pocliy Signed-off-by: ShutingZhao * update default webhook timeout to 10s Signed-off-by: ShutingZhao * cleanups Signed-off-by: ShutingZhao * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao * fix e2e tests Signed-off-by: ShutingZhao * fix linter issue Signed-off-by: ShutingZhao * correct metric endpoint Signed-off-by: ShutingZhao * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao --- charts/kyverno/templates/crds.yaml | 12 +- charts/kyverno/values.yaml | 2 +- cmd/kyverno/main.go | 17 +- .../crds/kyverno.io_clusterpolicies.yaml | 10 +- definitions/crds/kyverno.io_policies.yaml | 10 +- definitions/install.yaml | 14 +- definitions/install_debug.yaml | 14 +- pkg/api/kyverno/v1/clusterpolicy_types.go | 2 +- pkg/api/kyverno/v1/policy_types.go | 9 +- pkg/api/kyverno/v1/utils.go | 45 ++ pkg/config/dynamicconfig.go | 5 - pkg/dclient/client.go | 2 - pkg/engine/mutate/patches.go | 3 +- pkg/engine/mutation.go | 2 +- pkg/engine/validate/pattern.go | 3 - pkg/event/controller.go | 1 - pkg/generate/generate_controller.go | 1 - pkg/metrics/metrics.go | 2 +- pkg/metrics/policyruleinfo/policyRuleInfo.go | 19 +- pkg/policy/existing.go | 12 +- pkg/policy/metrics.go | 126 +++ ...ate_controller.go => policy_controller.go} | 120 --- pkg/policymutation/policymutation.go | 50 +- pkg/signal/signal_windows.go | 8 - pkg/testrunner/scenario.go | 1 - pkg/webhookconfig/certmanager.go | 15 +- pkg/webhookconfig/common.go | 130 ++- pkg/webhookconfig/configmanager.go | 755 ++++++++++++++++++ pkg/webhookconfig/monitor.go | 17 +- pkg/webhookconfig/policy.go | 46 +- pkg/webhookconfig/registration.go | 124 +-- pkg/webhookconfig/resource.go | 117 ++- pkg/webhooks/generate/generate.go | 2 - test/e2e/common/common.go | 12 +- 34 files changed, 1318 insertions(+), 390 deletions(-) create mode 100644 pkg/policy/metrics.go rename pkg/policy/{validate_controller.go => policy_controller.go} (74%) delete mode 100644 pkg/signal/signal_windows.go create mode 100644 pkg/webhookconfig/configmanager.go diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index bb94092d21..db5371d003 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -34,6 +34,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -1709,10 +1710,7 @@ spec: in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -3339,6 +3337,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -5015,10 +5014,7 @@ spec: in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 809510d338..df83b43f7a 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -32,7 +32,7 @@ testImage: repository: # testImage.tag defaults to "latest" if omitted tag: - # testImage.pullPolicy defaults to image.pullPolicy if ommitted + # testImage.pullPolicy defaults to image.pullPolicy if omitted pullPolicy: replicaCount: 1 diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index e0f0ebec03..75d5ebf8c2 100755 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -10,8 +10,6 @@ import ( "strings" "time" - "github.com/kyverno/kyverno/pkg/cosign" - "github.com/prometheus/client_golang/prometheus/promhttp" kubeinformers "k8s.io/client-go/informers" "k8s.io/klog/v2" @@ -23,6 +21,7 @@ import ( kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions" "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" + "github.com/kyverno/kyverno/pkg/cosign" dclient "github.com/kyverno/kyverno/pkg/dclient" event "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/generate" @@ -59,6 +58,7 @@ var ( genWorkers int profile bool disableMetricsExport bool + autoUpdateWebhooks bool policyControllerResyncPeriod time.Duration imagePullSecrets string imageSignatureRepository string @@ -71,7 +71,8 @@ func main() { flag.StringVar(&filterK8sResources, "filterK8sResources", "", "Resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. For example, --filterK8sResources \"[Deployment, kyverno, kyverno],[Events, *, *]\"") flag.StringVar(&excludeGroupRole, "excludeGroupRole", "", "") flag.StringVar(&excludeUsername, "excludeUsername", "", "") - flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "Timeout for webhook configurations") + // deprecated + flag.IntVar(&webhookTimeout, "webhooktimeout", int(webhookconfig.DefaultWebhookTimeout), "Timeout for webhook configurations. Deprecated and will be removed in 1.6.0.") flag.IntVar(&genWorkers, "gen-workers", 10, "Workers for generate controller") flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.") flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.") @@ -82,6 +83,7 @@ func main() { flag.DurationVar(&policyControllerResyncPeriod, "background-scan", time.Hour, "Perform background scan every given interval, e.g., 30s, 15m, 1h.") flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.") flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.") + flag.BoolVar(&autoUpdateWebhooks, "auto-update-webhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.") if err := flag.Set("v", "2"); err != nil { setupLog.Error(err, "failed to set log level") @@ -218,10 +220,15 @@ func main() { webhookCfg := webhookconfig.NewRegister( clientConfig, client, + pclient, rCache, + pInformer.Kyverno().V1().ClusterPolicies(), + pInformer.Kyverno().V1().Policies(), serverIP, int32(webhookTimeout), debug, + autoUpdateWebhooks, + stopCh, log.Log) webhookMonitor, err := webhookconfig.NewMonitor(kubeClient, log.Log.WithName("WebhookMonitor")) @@ -381,7 +388,9 @@ func main() { os.Exit(1) } - go webhookCfg.UpdateWebhookConfigurations(configData) + if !autoUpdateWebhooks { + go webhookCfg.UpdateWebhookConfigurations(configData) + } if registrationErr := registerWrapperRetry(); registrationErr != nil { setupLog.Error(err, "Timeout registering admission control webhooks") os.Exit(1) diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml index f9d775ad59..0de3d3fc30 100644 --- a/definitions/crds/kyverno.io_clusterpolicies.yaml +++ b/definitions/crds/kyverno.io_clusterpolicies.yaml @@ -27,6 +27,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -1709,10 +1710,11 @@ spec: in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. format: int32 type: integer type: object diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml index c624d893c2..d5cbbf8671 100644 --- a/definitions/crds/kyverno.io_policies.yaml +++ b/definitions/crds/kyverno.io_policies.yaml @@ -27,6 +27,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -1710,10 +1711,11 @@ spec: in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for - this policy. After the timeout passes, the admission request will - fail based on the failure policy. The default timeout is 3s, the - value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. format: int32 type: integer type: object diff --git a/definitions/install.yaml b/definitions/install.yaml index 42c273bbf7..3006502b92 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -45,6 +45,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -1086,7 +1087,11 @@ spec: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -2312,6 +2317,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -3353,7 +3359,11 @@ spec: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. format: int32 type: integer type: object diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 4d06fa3e67..ac9cc4e21c 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -32,6 +32,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -1073,7 +1074,11 @@ spec: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -2271,6 +2276,7 @@ spec: type: string - jsonPath: .spec.failurePolicy name: Failure Policy + priority: 1 type: string - jsonPath: .status.ready name: Ready @@ -3312,7 +3318,11 @@ spec: description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds. + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. format: int32 type: integer type: object diff --git a/pkg/api/kyverno/v1/clusterpolicy_types.go b/pkg/api/kyverno/v1/clusterpolicy_types.go index 8a047dcd60..079245b700 100644 --- a/pkg/api/kyverno/v1/clusterpolicy_types.go +++ b/pkg/api/kyverno/v1/clusterpolicy_types.go @@ -13,7 +13,7 @@ import ( // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol // +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background" // +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction" -// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy" +// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy",priority=1 // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.ready` type ClusterPolicy struct { metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"` diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 1a1236bf68..267a41be0e 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -22,7 +22,7 @@ type PolicyList struct { // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background" // +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction" -// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy" +// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy",priority=1 // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.ready` // +kubebuilder:resource:shortName=pol type Policy struct { @@ -68,10 +68,9 @@ type Spec struct { // +optional SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"` - // WebhookTimeoutSeconds specifies the webhook timeout for this policy. - // After the timeout passes, the admission request will fail based on the failure policy. - // The default timeout is 3s, the value must be between 1 and 30 seconds. - // Default to 10 seconds. + // WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + // After the configured time expires, the admission request may fail, or may simply ignore the policy results, + // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"` } diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go index 465d345920..8656c1610c 100755 --- a/pkg/api/kyverno/v1/utils.go +++ b/pkg/api/kyverno/v1/utils.go @@ -38,6 +38,28 @@ func (p *ClusterPolicy) HasMutate() bool { return false } +// HasValidate checks for validate rule types +func (p *ClusterPolicy) HasValidate() bool { + for _, rule := range p.Spec.Rules { + if rule.HasValidate() { + return true + } + } + + return false +} + +// HasGenerate checks for generate rule types +func (p *ClusterPolicy) HasGenerate() bool { + for _, rule := range p.Spec.Rules { + if rule.HasGenerate() { + return true + } + } + + return false +} + //HasVerifyImages checks for image verification rule types func (p *ClusterPolicy) HasVerifyImages() bool { for _, rule := range p.Spec.Rules { @@ -78,6 +100,29 @@ func (r Rule) HasGenerate() bool { return !reflect.DeepEqual(r.Generation, Generation{}) } +func (r Rule) MatchKinds() []string { + matchKinds := r.MatchResources.ResourceDescription.Kinds + for _, value := range r.MatchResources.All { + matchKinds = append(matchKinds, value.ResourceDescription.Kinds...) + } + for _, value := range r.MatchResources.Any { + matchKinds = append(matchKinds, value.ResourceDescription.Kinds...) + } + + return matchKinds +} + +func (r Rule) ExcludeKinds() []string { + excludeKinds := r.ExcludeResources.ResourceDescription.Kinds + for _, value := range r.ExcludeResources.All { + excludeKinds = append(excludeKinds, value.ResourceDescription.Kinds...) + } + for _, value := range r.ExcludeResources.Any { + excludeKinds = append(excludeKinds, value.ResourceDescription.Kinds...) + } + return excludeKinds +} + // DeserializeAnyPattern deserialize apiextensions.JSON to []interface{} func (in *Validation) DeserializeAnyPattern() ([]interface{}, error) { if in.AnyPattern == nil { diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go index c1acacafe2..197a606570 100644 --- a/pkg/config/dynamicconfig.go +++ b/pkg/config/dynamicconfig.go @@ -144,8 +144,6 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI cd.restrictDevelopmentUsername = []string{"minikube-user", "kubernetes-admin"} - //TODO: this has been added to backward support command line arguments - // will be removed in future and the configuration will be set only via configmaps if filterK8sResources != "" { cd.log.Info("init configuration from commandline arguments for filterK8sResources") cd.initFilters(filterK8sResources) @@ -320,8 +318,6 @@ func (cd *ConfigData) load(cm v1.ConfigMap) (reconcilePolicyReport, updateWebhoo return } -//TODO: this has been added to backward support command line arguments -// will be removed in future and the configuration will be set only via configmaps func (cd *ConfigData) initFilters(filters string) { logger := cd.log // parse and load the configuration @@ -380,7 +376,6 @@ func parseKinds(list string) []k8Resource { element = strings.Trim(element, "[") element = strings.Trim(element, "]") elements := strings.Split(element, ",") - //TODO: wildcards for namespace and name if len(elements) == 0 { continue } diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go index 7274f6b394..c342b57a11 100644 --- a/pkg/dclient/client.go +++ b/pkg/dclient/client.go @@ -76,8 +76,6 @@ func (c *Client) NewDynamicSharedInformerFactory(defaultResync time.Duration) dy } //GetEventsInterface provides typed interface for events -//TODO: can we use dynamic client to fetch the typed interface -// or generate a kube client value to access the interface func (c *Client) GetEventsInterface() (event.EventInterface, error) { return c.kclient.CoreV1().Events(""), nil } diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go index 4685ab9a64..231ae5c43c 100644 --- a/pkg/engine/mutate/patches.go +++ b/pkg/engine/mutate/patches.go @@ -52,7 +52,6 @@ func ProcessPatches(log logr.Logger, ruleName string, mutation kyverno.Mutation, continue } patchResource, err := applyPatch(resourceRaw, patchRaw) - // TODO: continue on error if one of the patches fails, will add the failure event in such case if err != nil && patch.Operation == "remove" { log.Error(err, "failed to process JSON path or patch is a 'remove' operation") continue @@ -79,7 +78,7 @@ func ProcessPatches(log logr.Logger, ruleName string, mutation kyverno.Mutation, } err = patchedResource.UnmarshalJSON(resourceRaw) if err != nil { - logger.Error(err, "failed to unmmarshal resource") + logger.Error(err, "failed to unmarshal resource") resp.Status = response.RuleStatusFail resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index fe178a623e..c1b9abd7aa 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -116,7 +116,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { if *ruleCopy, err = variables.SubstituteAllInRule(logger, ctx, *ruleCopy); err != nil { ruleResp := response.RuleResponse{ Name: ruleCopy.Name, - Type: utils.Validation.String(), + Type: utils.Mutation.String(), Message: fmt.Sprintf("variable substitution failed: %s", err.Error()), Status: response.RuleStatusPass, } diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go index 48efbfaadf..98bc508c99 100644 --- a/pkg/engine/validate/pattern.go +++ b/pkg/engine/validate/pattern.go @@ -42,10 +42,8 @@ func ValidateValueWithPattern(log logr.Logger, value, pattern interface{}) bool case nil: return validateValueWithNilPattern(log, value) case map[string]interface{}: - // TODO: check if this is ever called? return validateValueWithMapPattern(log, value, typedPattern) case []interface{}: - // TODO: check if this is ever called? log.Info("arrays are not supported as patterns") return false default: @@ -57,7 +55,6 @@ func ValidateValueWithPattern(log logr.Logger, value, pattern interface{}) bool func validateValueWithMapPattern(log logr.Logger, value interface{}, typedPattern map[string]interface{}) bool { // verify the type of the resource value is map[string]interface, // we only check for existence of object, not the equality of content and value - //TODO: check if adding _, ok := value.(map[string]interface{}) if !ok { log.Info("Expected type map[string]interface{}", "type", fmt.Sprintf("%T", value), "value", value) diff --git a/pkg/event/controller.go b/pkg/event/controller.go index 7f09422f4f..2e7eb2a255 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -188,7 +188,6 @@ func (gen *Generator) syncHandler(key Info) error { var err error switch key.Kind { case "ClusterPolicy": - //TODO: policy is clustered resource so wont need namespace robj, err = gen.cpLister.Get(key.Name) if err != nil { logger.Error(err, "failed to get cluster policy", "name", key.Name) diff --git a/pkg/generate/generate_controller.go b/pkg/generate/generate_controller.go index a2648832dc..0a6f30de62 100644 --- a/pkg/generate/generate_controller.go +++ b/pkg/generate/generate_controller.go @@ -64,7 +64,6 @@ type Controller struct { // dynamic shared informer factory dynamicInformer dynamicinformer.DynamicSharedInformerFactory - //TODO: list of generic informers // only support Namespaces for re-evaluation on resource updates nsInformer informers.GenericInformer log logr.Logger diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go index 69a47a70e9..feb23a9285 100644 --- a/pkg/metrics/metrics.go +++ b/pkg/metrics/metrics.go @@ -47,7 +47,7 @@ func NewPromConfig(metricsConfigData *config.MetricsConfigData, log logr.Logger) ) policyRuleInfoLabels := []string{ - "policy_validation_mode", "policy_type", "policy_background_mode", "policy_namespace", "policy_name", "rule_name", "rule_type", + "policy_validation_mode", "policy_type", "policy_background_mode", "policy_namespace", "policy_name", "rule_name", "rule_type", "status_ready", } policyRuleInfoMetric := prom.NewGaugeVec( prom.GaugeOpts{ diff --git a/pkg/metrics/policyruleinfo/policyRuleInfo.go b/pkg/metrics/policyruleinfo/policyRuleInfo.go index c5ee306a00..a72346d5b5 100644 --- a/pkg/metrics/policyruleinfo/policyRuleInfo.go +++ b/pkg/metrics/policyruleinfo/policyRuleInfo.go @@ -15,6 +15,7 @@ func (pc PromConfig) registerPolicyRuleInfoMetric( policyNamespace, policyName, ruleName string, ruleType metrics.RuleType, metricChangeType PolicyRuleInfoMetricChangeType, + ready bool, ) error { var metricValue float64 switch metricChangeType { @@ -40,6 +41,11 @@ func (pc PromConfig) registerPolicyRuleInfoMetric( policyNamespace = "-" } + status := "false" + if ready { + status = "true" + } + pc.Metrics.PolicyRuleInfo.With(prom.Labels{ "policy_validation_mode": string(policyValidationMode), "policy_type": string(policyType), @@ -48,6 +54,7 @@ func (pc PromConfig) registerPolicyRuleInfoMetric( "policy_name": policyName, "rule_name": ruleName, "rule_type": string(ruleType), + "status_ready": status, }).Set(metricValue) return nil @@ -64,12 +71,13 @@ func (pc PromConfig) AddPolicy(policy interface{}) error { policyType := metrics.Cluster policyNamespace := "" // doesn't matter for cluster policy policyName := inputPolicy.ObjectMeta.Name + ready := inputPolicy.Status.Ready // registering the metrics on a per-rule basis for _, rule := range inputPolicy.Spec.Rules { ruleName := rule.Name ruleType := metrics.ParseRuleType(rule) - if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleCreated); err != nil { + if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleCreated, ready); err != nil { return err } } @@ -83,12 +91,13 @@ func (pc PromConfig) AddPolicy(policy interface{}) error { policyType := metrics.Namespaced policyNamespace := inputPolicy.ObjectMeta.Namespace policyName := inputPolicy.ObjectMeta.Name + ready := inputPolicy.Status.Ready // registering the metrics on a per-rule basis for _, rule := range inputPolicy.Spec.Rules { ruleName := rule.Name ruleType := metrics.ParseRuleType(rule) - if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleCreated); err != nil { + if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleCreated, ready); err != nil { return err } } @@ -112,8 +121,9 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error { policyName := inputPolicy.ObjectMeta.Name ruleName := rule.Name ruleType := metrics.ParseRuleType(rule) + ready := inputPolicy.Status.Ready - if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleDeleted); err != nil { + if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleDeleted, ready); err != nil { return err } } @@ -130,8 +140,9 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error { policyName := inputPolicy.ObjectMeta.Name ruleName := rule.Name ruleType := metrics.ParseRuleType(rule) + ready := inputPolicy.Status.Ready - if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleDeleted); err != nil { + if err = pc.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleDeleted, ready); err != nil { return err } } diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index ce92079072..8365e0079e 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -29,15 +29,8 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli continue } - match := rule.MatchResources - - for _, value := range match.Any { - pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger) - } - for _, value := range match.All { - pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger) - } - pc.processExistingKinds(match.Kinds, policy, rule, logger) + matchKinds := rule.MatchKinds() + pc.processExistingKinds(matchKinds, policy, rule, logger) } } @@ -161,7 +154,6 @@ type resourceManager interface { } //Drop drop the cache after every rebuild interval mins -//TODO: or drop based on the size func (rm *ResourceManager) Drop() { timeSince := time.Since(rm.time) if timeSince > time.Duration(rm.rebuildTime)*time.Second { diff --git a/pkg/policy/metrics.go b/pkg/policy/metrics.go new file mode 100644 index 0000000000..4b75afefd6 --- /dev/null +++ b/pkg/policy/metrics.go @@ -0,0 +1,126 @@ +package policy + +import ( + "reflect" + + "github.com/go-logr/logr" + kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" + policyChangesMetric "github.com/kyverno/kyverno/pkg/metrics/policychanges" + policyRuleInfoMetric "github.com/kyverno/kyverno/pkg/metrics/policyruleinfo" +) + +func (pc *PolicyController) registerPolicyRuleInfoMetricAddPolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { + err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(p) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's creation", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyRuleInfoMetricUpdatePolicy(logger logr.Logger, oldP, curP *kyverno.ClusterPolicy) { + // removing the old rules associated metrics + err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(oldP) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) + } + // adding the new rules associated metrics + err = policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(curP) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) + } +} + +func (pc *PolicyController) registerPolicyRuleInfoMetricDeletePolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { + err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(p) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's deletion", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyChangesMetricAddPolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { + err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyCreated) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's creation", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyChangesMetricUpdatePolicy(logger logr.Logger, oldP, curP *kyverno.ClusterPolicy) { + if reflect.DeepEqual((*oldP).Spec, (*curP).Spec) { + return + } + err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(oldP, policyChangesMetric.PolicyUpdated) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.Name) + } + // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: + if curP.Spec.Background != oldP.Spec.Background || curP.Spec.ValidationFailureAction != oldP.Spec.ValidationFailureAction { + err = policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(curP, policyChangesMetric.PolicyUpdated) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.Name) + } + } +} + +func (pc *PolicyController) registerPolicyChangesMetricDeletePolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { + err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyDeleted) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's deletion", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyRuleInfoMetricDeleteNsPolicy(logger logr.Logger, p *kyverno.Policy) { + err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(p) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's deletion", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyChangesMetricAddNsPolicy(logger logr.Logger, p *kyverno.Policy) { + err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyCreated) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's creation", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyChangesMetricUpdateNsPolicy(logger logr.Logger, oldP, curP *kyverno.Policy) { + if reflect.DeepEqual((*oldP).Spec, (*curP).Spec) { + return + } + err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(oldP, policyChangesMetric.PolicyUpdated) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.Name) + } + // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: + if curP.Spec.Background != oldP.Spec.Background || curP.Spec.ValidationFailureAction != oldP.Spec.ValidationFailureAction { + err = policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(curP, policyChangesMetric.PolicyUpdated) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.Name) + } + } +} + +func (pc *PolicyController) registerPolicyChangesMetricDeleteNsPolicy(logger logr.Logger, p *kyverno.Policy) { + err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyDeleted) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's deletion", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyRuleInfoMetricAddNsPolicy(logger logr.Logger, p *kyverno.Policy) { + err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(p) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's creation", "name", p.Name) + } +} + +func (pc *PolicyController) registerPolicyRuleInfoMetricUpdateNsPolicy(logger logr.Logger, oldP, curP *kyverno.Policy) { + // removing the old rules associated metrics + err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(oldP) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) + } + // adding the new rules associated metrics + err = policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(curP) + if err != nil { + logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) + } +} diff --git a/pkg/policy/validate_controller.go b/pkg/policy/policy_controller.go similarity index 74% rename from pkg/policy/validate_controller.go rename to pkg/policy/policy_controller.go index 68b796fc3c..c9f43d6bfb 100644 --- a/pkg/policy/validate_controller.go +++ b/pkg/policy/policy_controller.go @@ -21,7 +21,6 @@ import ( "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/kyverno/common" "github.com/kyverno/kyverno/pkg/metrics" - policyRuleInfoMetric "github.com/kyverno/kyverno/pkg/metrics/policyruleinfo" pm "github.com/kyverno/kyverno/pkg/policymutation" "github.com/kyverno/kyverno/pkg/policyreport" "github.com/kyverno/kyverno/pkg/resourcecache" @@ -40,8 +39,6 @@ import ( "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/record" "k8s.io/client-go/util/workqueue" - - policyChangesMetric "github.com/kyverno/kyverno/pkg/metrics/policychanges" ) const ( @@ -176,7 +173,6 @@ func NewPolicyController( // resource manager // rebuild after 300 seconds/ 5 mins - //TODO: pass the time in seconds instead of converting it internally pc.rm = NewResourceManager(30) return &pc, nil @@ -197,64 +193,6 @@ func (pc *PolicyController) canBackgroundProcess(p *kyverno.ClusterPolicy) bool return true } -func (pc *PolicyController) registerPolicyRuleInfoMetricAddPolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { - err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(p) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's creation", "name", p.Name) - } -} - -func (pc *PolicyController) registerPolicyRuleInfoMetricUpdatePolicy(logger logr.Logger, oldP, curP *kyverno.ClusterPolicy) { - // removing the old rules associated metrics - err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(oldP) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) - } - // adding the new rules associated metrics - err = policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(curP) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) - } -} - -func (pc *PolicyController) registerPolicyRuleInfoMetricDeletePolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { - err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(p) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's deletion", "name", p.Name) - } -} - -func (pc *PolicyController) registerPolicyChangesMetricAddPolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { - err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyCreated) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's creation", "name", p.Name) - } -} - -func (pc *PolicyController) registerPolicyChangesMetricUpdatePolicy(logger logr.Logger, oldP, curP *kyverno.ClusterPolicy) { - if reflect.DeepEqual((*oldP).Spec, (*curP).Spec) { - return - } - err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(oldP, policyChangesMetric.PolicyUpdated) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.Name) - } - // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curP.Spec.Background != oldP.Spec.Background || curP.Spec.ValidationFailureAction != oldP.Spec.ValidationFailureAction { - err = policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(curP, policyChangesMetric.PolicyUpdated) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.Name) - } - } -} - -func (pc *PolicyController) registerPolicyChangesMetricDeletePolicy(logger logr.Logger, p *kyverno.ClusterPolicy) { - err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyDeleted) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's deletion", "name", p.Name) - } -} - func (pc *PolicyController) addPolicy(obj interface{}) { logger := pc.log p := obj.(*kyverno.ClusterPolicy) @@ -353,64 +291,6 @@ func (pc *PolicyController) deletePolicy(obj interface{}) { } } -func (pc *PolicyController) registerPolicyRuleInfoMetricAddNsPolicy(logger logr.Logger, p *kyverno.Policy) { - err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(p) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's creation", "name", p.Name) - } -} - -func (pc *PolicyController) registerPolicyRuleInfoMetricUpdateNsPolicy(logger logr.Logger, oldP, curP *kyverno.Policy) { - // removing the old rules associated metrics - err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(oldP) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) - } - // adding the new rules associated metrics - err = policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).AddPolicy(curP) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's updation", "name", oldP.Name) - } -} - -func (pc *PolicyController) registerPolicyRuleInfoMetricDeleteNsPolicy(logger logr.Logger, p *kyverno.Policy) { - err := policyRuleInfoMetric.ParsePromConfig(*pc.promConfig).RemovePolicy(p) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_rule_info_total metrics for the above policy's deletion", "name", p.Name) - } -} - -func (pc *PolicyController) registerPolicyChangesMetricAddNsPolicy(logger logr.Logger, p *kyverno.Policy) { - err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyCreated) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's creation", "name", p.Name) - } -} - -func (pc *PolicyController) registerPolicyChangesMetricUpdateNsPolicy(logger logr.Logger, oldP, curP *kyverno.Policy) { - if reflect.DeepEqual((*oldP).Spec, (*curP).Spec) { - return - } - err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(oldP, policyChangesMetric.PolicyUpdated) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.Name) - } - // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curP.Spec.Background != oldP.Spec.Background || curP.Spec.ValidationFailureAction != oldP.Spec.ValidationFailureAction { - err = policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(curP, policyChangesMetric.PolicyUpdated) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.Name) - } - } -} - -func (pc *PolicyController) registerPolicyChangesMetricDeleteNsPolicy(logger logr.Logger, p *kyverno.Policy) { - err := policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(p, policyChangesMetric.PolicyDeleted) - if err != nil { - logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's deletion", "name", p.Name) - } -} - func (pc *PolicyController) addNsPolicy(obj interface{}) { logger := pc.log p := obj.(*kyverno.Policy) diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index 94253d5844..5e4279a3bf 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -38,6 +38,11 @@ func GenerateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logg updateMsgs = append(updateMsgs, updateMsg) } + if patch, updateMsg := defaultFailurePolicy(policy, log); patch != nil { + patches = append(patches, patch) + updateMsgs = append(updateMsgs, updateMsg) + } + patch, errs := GeneratePodControllerRule(*policy, log) if len(errs) > 0 { var errMsgs []string @@ -307,6 +312,33 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logg return nil, "" } +func defaultFailurePolicy(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) { + // set failurePolicy to Fail if not present + failurePolicy := string(kyverno.Fail) + if policy.Spec.FailurePolicy == nil { + log.V(4).Info("setting default value", "spec.failurePolicy", failurePolicy) + jsonPatch := struct { + Path string `json:"path"` + Op string `json:"op"` + Value string `json:"value"` + }{ + "/spec/failurePolicy", + "add", + string(kyverno.Fail), + } + + patchByte, err := json.Marshal(jsonPatch) + if err != nil { + log.Error(err, "failed to set default value", "spec.failurePolicy", failurePolicy) + return nil, "" + } + + log.V(3).Info("generated JSON Patch to set default", "spec.failurePolicy", failurePolicy) + return patchByte, fmt.Sprintf("default failurePolicy to '%s'", failurePolicy) + } + + return nil, "" +} // podControllersKey annotation could be: // scenario A: not exist, set default to "all", which generates on all pod controllers @@ -534,20 +566,10 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr. match := rule.MatchResources exclude := rule.ExcludeResources - matchResourceDescriptionsKinds := match.ResourceDescription.Kinds - for _, value := range match.All { - matchResourceDescriptionsKinds = append(matchResourceDescriptionsKinds, value.ResourceDescription.Kinds...) - } - for _, value := range match.Any { - matchResourceDescriptionsKinds = append(matchResourceDescriptionsKinds, value.ResourceDescription.Kinds...) - } - excludeResourceDescriptionsKinds := exclude.ResourceDescription.Kinds - for _, value := range exclude.All { - excludeResourceDescriptionsKinds = append(excludeResourceDescriptionsKinds, value.ResourceDescription.Kinds...) - } - for _, value := range exclude.Any { - excludeResourceDescriptionsKinds = append(excludeResourceDescriptionsKinds, value.ResourceDescription.Kinds...) - } + + matchResourceDescriptionsKinds := rule.MatchKinds() + excludeResourceDescriptionsKinds := rule.ExcludeKinds() + if !utils.ContainsString(matchResourceDescriptionsKinds, "Pod") || (len(excludeResourceDescriptionsKinds) != 0 && !utils.ContainsString(excludeResourceDescriptionsKinds, "Pod")) { return kyvernoRule{} diff --git a/pkg/signal/signal_windows.go b/pkg/signal/signal_windows.go deleted file mode 100644 index bac933f84c..0000000000 --- a/pkg/signal/signal_windows.go +++ /dev/null @@ -1,8 +0,0 @@ -package signal - -//TODO: how to pick files based on OS compilation ? -// import ( -// "os" -// ) - -// var shutdownSignals = []os.Signal{os.Interrupt} diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go index b4c6e2b21d..4a719132dc 100644 --- a/pkg/testrunner/scenario.go +++ b/pkg/testrunner/scenario.go @@ -421,7 +421,6 @@ func loadObjects(t *testing.T, path string) []k8sRuntime.Object { continue } t.Log(gvk) - //TODO: add more details t.Logf("loaded object %s", gvk.Kind) resources = append(resources, obj) } diff --git a/pkg/webhookconfig/certmanager.go b/pkg/webhookconfig/certmanager.go index 221b5d527d..7ce19ecf8e 100644 --- a/pkg/webhookconfig/certmanager.go +++ b/pkg/webhookconfig/certmanager.go @@ -9,7 +9,6 @@ import ( "github.com/go-logr/logr" "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" - "github.com/kyverno/kyverno/pkg/tls" ktls "github.com/kyverno/kyverno/pkg/tls" v1 "k8s.io/api/core/v1" informerv1 "k8s.io/client-go/informers/core/v1" @@ -29,14 +28,14 @@ type Interface interface { GetTLSPemPair() (*ktls.PemPair, error) } type certManager struct { - renewer *tls.CertRenewer + renewer *ktls.CertRenewer secretInformer informerv1.SecretInformer secretQueue chan bool stopCh <-chan struct{} log logr.Logger } -func NewCertManager(secretInformer informerv1.SecretInformer, kubeClient kubernetes.Interface, certRenewer *tls.CertRenewer, log logr.Logger, stopCh <-chan struct{}) (Interface, error) { +func NewCertManager(secretInformer informerv1.SecretInformer, kubeClient kubernetes.Interface, certRenewer *ktls.CertRenewer, log logr.Logger, stopCh <-chan struct{}) (Interface, error) { manager := &certManager{ renewer: certRenewer, secretInformer: secretInformer, @@ -59,7 +58,7 @@ func (m *certManager) addSecretFunc(obj interface{}) { return } - val, ok := secret.GetAnnotations()[tls.SelfSignedAnnotation] + val, ok := secret.GetAnnotations()[ktls.SelfSignedAnnotation] if !ok || val != "true" { return } @@ -74,7 +73,7 @@ func (m *certManager) updateSecretFunc(oldObj interface{}, newObj interface{}) { return } - val, ok := new.GetAnnotations()[tls.SelfSignedAnnotation] + val, ok := new.GetAnnotations()[ktls.SelfSignedAnnotation] if !ok || val != "true" { return } @@ -127,7 +126,7 @@ func (m *certManager) Run(stopCh <-chan struct{}) { }) m.log.Info("start managing certificate") - certsRenewalTicker := time.NewTicker(tls.CertRenewalInterval) + certsRenewalTicker := time.NewTicker(ktls.CertRenewalInterval) defer certsRenewalTicker.Stop() for { @@ -137,7 +136,7 @@ func (m *certManager) Run(stopCh <-chan struct{}) { if err != nil { m.log.Error(err, "failed to validate cert") - if !strings.Contains(err.Error(), tls.ErrorsNotFound) { + if !strings.Contains(err.Error(), ktls.ErrorsNotFound) { continue } } @@ -157,7 +156,7 @@ func (m *certManager) Run(stopCh <-chan struct{}) { if err != nil { m.log.Error(err, "failed to validate cert") - if !strings.Contains(err.Error(), tls.ErrorsNotFound) { + if !strings.Contains(err.Error(), ktls.ErrorsNotFound) { continue } } diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go index 611dff97c9..1294f925fa 100644 --- a/pkg/webhookconfig/common.go +++ b/pkg/webhookconfig/common.go @@ -2,10 +2,11 @@ package webhookconfig import ( "io/ioutil" + "reflect" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/tls" - admregapi "k8s.io/api/admissionregistration/v1beta1" + admregapi "k8s.io/api/admissionregistration/v1" apps "k8s.io/api/apps/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -95,76 +96,66 @@ func (wrc *Register) GetKubePolicyDeployment() (*apps.Deployment, *unstructured. } // debug mutating webhook -func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resources []string, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook { +func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.MutatingWebhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun - failurePolicy := admregapi.Ignore reinvocationPolicy := admregapi.NeverReinvocationPolicy - return admregapi.MutatingWebhook{ + w := admregapi.MutatingWebhook{ ReinvocationPolicy: &reinvocationPolicy, Name: name, ClientConfig: admregapi.WebhookClientConfig{ URL: &url, CABundle: caData, }, - SideEffects: &sideEffect, - Rules: []admregapi.RuleWithOperations{ - { - Operations: operationTypes, - Rule: admregapi.Rule{ - APIGroups: []string{ - apiGroups, - }, - APIVersions: []string{ - apiVersions, - }, - Resources: resources, - }, - }, - }, + SideEffects: &sideEffect, AdmissionReviewVersions: []string{"v1beta1"}, TimeoutSeconds: &timeoutSeconds, FailurePolicy: &failurePolicy, } + + if !reflect.DeepEqual(rule, admregapi.Rule{}) { + w.Rules = []admregapi.RuleWithOperations{ + { + Operations: operationTypes, + Rule: rule, + }, + } + } + + return w } -func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resources []string, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook { +func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.ValidatingWebhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun - failurePolicy := admregapi.Ignore - return admregapi.ValidatingWebhook{ + w := admregapi.ValidatingWebhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ URL: &url, CABundle: caData, }, - SideEffects: &sideEffect, - Rules: []admregapi.RuleWithOperations{ - { - Operations: operationTypes, - Rule: admregapi.Rule{ - APIGroups: []string{ - apiGroups, - }, - APIVersions: []string{ - apiVersions, - }, - Resources: resources, - }, - }, - }, + SideEffects: &sideEffect, AdmissionReviewVersions: []string{"v1beta1"}, TimeoutSeconds: &timeoutSeconds, FailurePolicy: &failurePolicy, } + + if !reflect.DeepEqual(rule, admregapi.Rule{}) { + w.Rules = []admregapi.RuleWithOperations{ + { + Operations: operationTypes, + Rule: rule, + }, + } + } + return w } // mutating webhook -func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resources []string, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook { +func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.MutatingWebhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun - failurePolicy := admregapi.Ignore - reinvocationPolicy := admregapi.NeverReinvocationPolicy + reinvocationPolicy := admregapi.IfNeededReinvocationPolicy - return admregapi.MutatingWebhook{ + w := admregapi.MutatingWebhook{ ReinvocationPolicy: &reinvocationPolicy, Name: name, ClientConfig: admregapi.WebhookClientConfig{ @@ -175,32 +166,27 @@ func generateMutatingWebhook(name, servicePath string, caData []byte, validation }, CABundle: caData, }, - SideEffects: &sideEffect, - Rules: []admregapi.RuleWithOperations{ - { - Operations: operationTypes, - Rule: admregapi.Rule{ - APIGroups: []string{ - apiGroups, - }, - APIVersions: []string{ - apiVersions, - }, - Resources: resources, - }, - }, - }, + SideEffects: &sideEffect, AdmissionReviewVersions: []string{"v1beta1"}, TimeoutSeconds: &timeoutSeconds, FailurePolicy: &failurePolicy, } + + if !reflect.DeepEqual(rule, admregapi.Rule{}) { + w.Rules = []admregapi.RuleWithOperations{ + { + Operations: operationTypes, + Rule: rule, + }, + } + } + return w } // validating webhook -func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resources []string, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook { +func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.ValidatingWebhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun - failurePolicy := admregapi.Ignore - return admregapi.ValidatingWebhook{ + w := admregapi.ValidatingWebhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ Service: &admregapi.ServiceReference{ @@ -210,23 +196,19 @@ func generateValidatingWebhook(name, servicePath string, caData []byte, validati }, CABundle: caData, }, - SideEffects: &sideEffect, - Rules: []admregapi.RuleWithOperations{ - { - Operations: operationTypes, - Rule: admregapi.Rule{ - APIGroups: []string{ - apiGroups, - }, - APIVersions: []string{ - apiVersions, - }, - Resources: resources, - }, - }, - }, + SideEffects: &sideEffect, AdmissionReviewVersions: []string{"v1beta1"}, TimeoutSeconds: &timeoutSeconds, FailurePolicy: &failurePolicy, } + + if !reflect.DeepEqual(rule, admregapi.Rule{}) { + w.Rules = []admregapi.RuleWithOperations{ + { + Operations: operationTypes, + Rule: rule, + }, + } + } + return w } diff --git a/pkg/webhookconfig/configmanager.go b/pkg/webhookconfig/configmanager.go new file mode 100644 index 0000000000..ca3a3aca6c --- /dev/null +++ b/pkg/webhookconfig/configmanager.go @@ -0,0 +1,755 @@ +package webhookconfig + +import ( + "context" + "fmt" + "reflect" + "strings" + "sync/atomic" + "time" + + "github.com/go-logr/logr" + kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" + kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned" + kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" + kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" + "github.com/kyverno/kyverno/pkg/common" + "github.com/kyverno/kyverno/pkg/config" + client "github.com/kyverno/kyverno/pkg/dclient" + "github.com/kyverno/kyverno/pkg/resourcecache" + "github.com/kyverno/kyverno/pkg/utils" + "github.com/pkg/errors" + admregapi "k8s.io/api/admissionregistration/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime/schema" + utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "k8s.io/client-go/tools/cache" + "k8s.io/client-go/util/workqueue" +) + +var DefaultWebhookTimeout int64 = 10 + +// webhookConfigManager manges the webhook configuration dynamically +// it is NOT multi-thread safe +type webhookConfigManager struct { + client *client.Client + kyvernoClient *kyvernoclient.Clientset + + pInformer kyvernoinformer.ClusterPolicyInformer + npInformer kyvernoinformer.PolicyInformer + + // pLister can list/get policy from the shared informer's store + pLister kyvernolister.ClusterPolicyLister + + // npLister can list/get namespace policy from the shared informer's store + npLister kyvernolister.PolicyLister + + // pListerSynced returns true if the cluster policy store has been synced at least once + pListerSynced cache.InformerSynced + + // npListerSynced returns true if the namespace policy store has been synced at least once + npListerSynced cache.InformerSynced + + resCache resourcecache.ResourceCache + + mutateInformer cache.SharedIndexInformer + validateInformer cache.SharedIndexInformer + mutateInformerSynced cache.InformerSynced + validateInformerSynced cache.InformerSynced + + queue workqueue.RateLimitingInterface + + // wildcardPolicy indicates the number of policies that matches all kinds (*) defined + wildcardPolicy int64 + + createDefaultWebhook chan<- string + + stopCh <-chan struct{} + + log logr.Logger +} + +type manage interface { + start() +} + +func newWebhookConfigManager( + client *client.Client, + kyvernoClient *kyvernoclient.Clientset, + pInformer kyvernoinformer.ClusterPolicyInformer, + npInformer kyvernoinformer.PolicyInformer, + resCache resourcecache.ResourceCache, + createDefaultWebhook chan<- string, + stopCh <-chan struct{}, + log logr.Logger) manage { + + m := &webhookConfigManager{ + client: client, + kyvernoClient: kyvernoClient, + pInformer: pInformer, + npInformer: npInformer, + resCache: resCache, + queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "configmanager"), + wildcardPolicy: 0, + createDefaultWebhook: createDefaultWebhook, + stopCh: stopCh, + log: log, + } + + m.pLister = pInformer.Lister() + m.npLister = npInformer.Lister() + + m.pListerSynced = pInformer.Informer().HasSynced + m.npListerSynced = npInformer.Informer().HasSynced + + mutateCache, _ := m.resCache.GetGVRCache(kindMutating) + m.mutateInformer = mutateCache.GetInformer() + m.mutateInformerSynced = mutateCache.GetInformer().HasSynced + + validateCache, _ := m.resCache.GetGVRCache(kindValidating) + m.validateInformer = validateCache.GetInformer() + m.validateInformerSynced = validateCache.GetInformer().HasSynced + + return m +} + +func (m *webhookConfigManager) handleErr(err error, key interface{}) { + logger := m.log + if err == nil { + m.queue.Forget(key) + return + } + + if m.queue.NumRequeues(key) < 3 { + logger.Error(err, "failed to sync policy", "key", key) + m.queue.AddRateLimited(key) + return + } + + utilruntime.HandleError(err) + logger.V(2).Info("dropping policy out of queue", "key", key) + m.queue.Forget(key) +} + +func (m *webhookConfigManager) addClusterPolicy(obj interface{}) { + p := obj.(*kyverno.ClusterPolicy) + if hasWildcard(p) { + atomic.AddInt64(&m.wildcardPolicy, int64(1)) + } + m.enqueue(p) +} + +func (m *webhookConfigManager) updateClusterPolicy(old, cur interface{}) { + oldP := old.(*kyverno.ClusterPolicy) + curP := cur.(*kyverno.ClusterPolicy) + + if reflect.DeepEqual(oldP.Spec, curP.Spec) { + return + } + + if hasWildcard(oldP) && !hasWildcard(curP) { + atomic.AddInt64(&m.wildcardPolicy, ^int64(0)) + } else if !hasWildcard(oldP) && hasWildcard(curP) { + atomic.AddInt64(&m.wildcardPolicy, int64(1)) + } + + m.enqueue(curP) +} + +func (m *webhookConfigManager) deleteClusterPolicy(obj interface{}) { + p, ok := obj.(*kyverno.ClusterPolicy) + if !ok { + tombstone, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + utilruntime.HandleError(fmt.Errorf("error decoding object, invalid type")) + return + } + p, ok = tombstone.Obj.(*kyverno.ClusterPolicy) + if !ok { + utilruntime.HandleError(fmt.Errorf("error decoding object tombstone, invalid type")) + return + } + m.log.V(4).Info("Recovered deleted ClusterPolicy '%s' from tombstone", "name", p.GetName()) + } + + if hasWildcard(p) { + atomic.AddInt64(&m.wildcardPolicy, ^int64(0)) + } + m.enqueue(p) +} + +func (m *webhookConfigManager) addPolicy(obj interface{}) { + p := obj.(*kyverno.Policy) + if hasWildcard(p) { + atomic.AddInt64(&m.wildcardPolicy, int64(1)) + } + + pol := kyverno.ClusterPolicy(*p) + m.enqueue(&pol) +} + +func (m *webhookConfigManager) updatePolicy(old, cur interface{}) { + oldP := old.(*kyverno.Policy) + curP := cur.(*kyverno.Policy) + + if reflect.DeepEqual(oldP.Spec, curP.Spec) { + return + } + + if hasWildcard(oldP) && !hasWildcard(curP) { + atomic.AddInt64(&m.wildcardPolicy, ^int64(0)) + } else if !hasWildcard(oldP) && hasWildcard(curP) { + atomic.AddInt64(&m.wildcardPolicy, int64(1)) + } + + pol := kyverno.ClusterPolicy(*curP) + m.enqueue(&pol) +} + +func (m *webhookConfigManager) deletePolicy(obj interface{}) { + p, ok := obj.(*kyverno.Policy) + if !ok { + tombstone, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + utilruntime.HandleError(fmt.Errorf("error decoding object, invalid type")) + return + } + p, ok = tombstone.Obj.(*kyverno.Policy) + if !ok { + utilruntime.HandleError(fmt.Errorf("error decoding object tombstone, invalid type")) + return + } + m.log.V(4).Info("Recovered deleted ClusterPolicy '%s' from tombstone", "name", p.GetName()) + } + + if hasWildcard(p) { + atomic.AddInt64(&m.wildcardPolicy, ^int64(0)) + } + + pol := kyverno.ClusterPolicy(*p) + m.enqueue(&pol) +} + +func (m *webhookConfigManager) deleteWebhook(obj interface{}) { + m.log.WithName("deleteWebhook").Info("resource webhook configuration was deleted, recreating...") + if webhook, ok := obj.(*unstructured.Unstructured); ok { + k := webhook.GetKind() + if (k == kindMutating && webhook.GetName() == config.MutatingWebhookConfigurationName) || + (k == kindValidating && webhook.GetName() == config.ValidatingWebhookConfigurationName) { + m.enqueueAllPolicies() + } + } +} + +func (m *webhookConfigManager) enqueueAllPolicies() { + logger := m.log.WithName("enqueueAllPolicies") + + cpols, err := m.listPolicies("") + if err != nil { + logger.Error(err, "unabled to list clusterpolicies") + } + for _, cpol := range cpols { + m.enqueue(cpol) + logger.V(4).Info("added CLusterPolicy to the queue", "name", cpol.GetName()) + } + + nsCache, ok := m.resCache.GetGVRCache("Namespace") + if !ok { + nsCache, err = m.resCache.CreateGVKInformer("Namespace") + if err != nil { + logger.Error(err, "unabled to create Namespace listser") + return + } + } + + namespaces, err := nsCache.Lister().List(labels.Everything()) + if err != nil { + logger.Error(err, "unabled to list namespaces") + return + } + + for _, ns := range namespaces { + pols, err := m.listPolicies(ns.GetName()) + if err != nil { + logger.Error(err, "unabled to list policies", "namespace", ns.GetName()) + } + + for _, p := range pols { + m.enqueue(p) + logger.V(4).Info("added Policy to the queue", "namespace", p.GetName(), "name", p.GetName()) + } + } +} + +func (m *webhookConfigManager) enqueue(policy *kyverno.ClusterPolicy) { + logger := m.log + key, err := cache.MetaNamespaceKeyFunc(policy) + if err != nil { + logger.Error(err, "failed to enqueue policy") + return + } + m.queue.Add(key) +} + +// start is a blocking call to configure webhook +func (m *webhookConfigManager) start() { + defer utilruntime.HandleCrash() + defer m.queue.ShutDown() + + m.log.Info("starting") + defer m.log.Info("shutting down") + + if !cache.WaitForCacheSync(m.stopCh, m.pListerSynced, m.npListerSynced, m.mutateInformerSynced, m.validateInformerSynced) { + m.log.Info("failed to sync informer cache") + return + } + + m.pInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: m.addClusterPolicy, + UpdateFunc: m.updateClusterPolicy, + DeleteFunc: m.deleteClusterPolicy, + }) + + m.npInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ + AddFunc: m.addPolicy, + UpdateFunc: m.updatePolicy, + DeleteFunc: m.deletePolicy, + }) + + m.mutateInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + DeleteFunc: m.deleteWebhook, + }) + + m.validateInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{ + DeleteFunc: m.deleteWebhook, + }) + + for m.processNextWorkItem() { + } +} + +func (m *webhookConfigManager) processNextWorkItem() bool { + key, quit := m.queue.Get() + if quit { + return false + } + defer m.queue.Done(key) + err := m.sync(key.(string)) + m.handleErr(err, key) + + return true +} + +func (m *webhookConfigManager) sync(key string) error { + logger := m.log.WithName("sync") + startTime := time.Now() + logger.V(4).Info("started syncing policy", "key", key, "startTime", startTime) + defer func() { + logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime).String()) + }() + + namespace, name, err := cache.SplitMetaNamespaceKey(key) + if err != nil { + logger.Info("invalid resource key", "key", key) + return nil + } + + return m.reconcileWebhook(namespace, name) +} + +func (m *webhookConfigManager) reconcileWebhook(namespace, name string) error { + logger := m.log.WithName("reconcileWebhook").WithValues("namespace", namespace, "policy", name) + + policy, err := m.getPolicy(namespace, name) + if err != nil && !apierrors.IsNotFound(err) { + return errors.Wrapf(err, "unable to get policy object %s/%s", namespace, name) + } + + webhooks, err := m.buildWebhooks(namespace) + if err != nil { + return err + } + + if err := m.updateWebhookConfig(webhooks); err != nil { + return errors.Wrapf(err, "failed to update webhook configurations for policy %s/%s", namespace, name) + } + + // DELETION of the policy + if policy == nil { + return nil + } + + if err := m.updateStatus(policy); err != nil { + return errors.Wrapf(err, "failed to update policy status %s/%s", namespace, name) + } + + logger.Info("policy is ready to serve admission requests") + return nil +} + +func (m *webhookConfigManager) getPolicy(namespace, name string) (*kyverno.ClusterPolicy, error) { + // TODO: test default/policy + if namespace == "" { + return m.pLister.Get(name) + } + + nsPolicy, err := m.npLister.Policies(namespace).Get(name) + if err == nil && nsPolicy != nil { + p := kyverno.ClusterPolicy(*nsPolicy) + return &p, err + } + + return nil, err +} + +func (m *webhookConfigManager) listPolicies(namespace string) ([]*kyverno.ClusterPolicy, error) { + if namespace != "" { + polList, err := m.npLister.Policies(namespace).List(labels.Everything()) + if err != nil { + return nil, errors.Wrapf(err, "failed to list Policy") + } + + policies := make([]*kyverno.ClusterPolicy, len(polList)) + for i, pol := range polList { + p := kyverno.ClusterPolicy(*pol) + policies[i] = &p + } + return policies, nil + } + + cpolList, err := m.pLister.List(labels.Everything()) + if err != nil { + return nil, errors.Wrapf(err, "failed to list ClusterPolicy") + } + + return cpolList, nil +} + +const ( + apiGroups string = "apiGroups" + apiVersions string = "apiVersions" + resources string = "resources" +) + +// webhook is the instance that aggregates the GVK of existing policies +// based on kind, failurePolicy and webhookTimeout +type webhook struct { + kind string + maxWebhookTimeout int64 + failurePolicy kyverno.FailurePolicyType + + // rule represents the same rule struct of the webhook using a map object + // https://github.com/kubernetes/api/blob/master/admissionregistration/v1/types.go#L25 + rule map[string]interface{} +} + +func (m *webhookConfigManager) buildWebhooks(namespace string) (res []*webhook, err error) { + mutateIgnore := newWebhook(kindMutating, DefaultWebhookTimeout, kyverno.Ignore) + mutateFail := newWebhook(kindMutating, DefaultWebhookTimeout, kyverno.Fail) + validateIgnore := newWebhook(kindValidating, DefaultWebhookTimeout, kyverno.Ignore) + validateFail := newWebhook(kindValidating, DefaultWebhookTimeout, kyverno.Fail) + + if atomic.LoadInt64(&m.wildcardPolicy) != 0 { + for _, w := range []*webhook{mutateIgnore, mutateFail, validateIgnore, validateFail} { + setWildcardConfig(w) + } + + m.log.V(4).WithName("buildWebhooks").Info("warning: found wildcard policy, setting webhook configurations to accept admission requests of all kinds") + return append(res, mutateIgnore, mutateFail, validateIgnore, validateFail), nil + } + + policies, err := m.listPolicies(namespace) + if err != nil { + return nil, errors.Wrap(err, "unable to list current policies") + } + + for _, p := range policies { + if p.HasValidate() || p.HasGenerate() { + if p.Spec.FailurePolicy != nil && *p.Spec.FailurePolicy == kyverno.Ignore { + m.mergeWebhook(validateIgnore, p) + } else { + m.mergeWebhook(validateFail, p) + } + } + + if p.HasMutate() || p.HasGenerate() { + if p.Spec.FailurePolicy != nil && *p.Spec.FailurePolicy == kyverno.Ignore { + m.mergeWebhook(mutateIgnore, p) + } else { + m.mergeWebhook(mutateFail, p) + } + } + } + + res = append(res, mutateIgnore, mutateFail, validateIgnore, validateFail) + return res, nil +} + +func (m *webhookConfigManager) updateWebhookConfig(webhooks []*webhook) error { + logger := m.log.WithName("updateWebhookConfig") + webhooksMap := make(map[string]interface{}, len(webhooks)) + for _, w := range webhooks { + key := webhookKey(w.kind, string(w.failurePolicy)) + webhooksMap[key] = w + } + + var errs []string + if err := m.compareAndUpdateWebhook(kindMutating, getResourceMutatingWebhookConfigName(""), webhooksMap); err != nil { + logger.V(4).Info("failed to update mutatingwebhookconfigurations", "error", err.Error()) + errs = append(errs, err.Error()) + } + + if err := m.compareAndUpdateWebhook(kindValidating, getResourceValidatingWebhookConfigName(""), webhooksMap); err != nil { + logger.V(4).Info("failed to update validatingwebhookconfigurations", "error", err.Error()) + errs = append(errs, err.Error()) + } + + if len(errs) != 0 { + return errors.New(strings.Join(errs, "\n")) + } + + return nil +} + +func (m *webhookConfigManager) getWebhook(webhookKind, webhookName string) (resourceWebhook *unstructured.Unstructured, err error) { + get := func() error { + webhookCache, _ := m.resCache.GetGVRCache(webhookKind) + + resourceWebhook, err = webhookCache.Lister().Get(webhookName) + if err != nil && !apierrors.IsNotFound(err) { + return errors.Wrapf(err, "unable to get %s/%s", webhookKind, webhookName) + } else if apierrors.IsNotFound(err) { + m.createDefaultWebhook <- webhookKind + return err + } + return nil + } + + retryGetWebhook := common.RetryFunc(time.Second, 10*time.Second, get, m.log) + if err := retryGetWebhook(); err != nil { + return nil, err + } + + return resourceWebhook, nil +} + +func (m *webhookConfigManager) compareAndUpdateWebhook(webhookKind, webhookName string, webhooksMap map[string]interface{}) error { + logger := m.log.WithName("compareAndUpdateWebhook").WithValues("kind", webhookKind, "name", webhookName) + resourceWebhook, err := m.getWebhook(webhookKind, webhookName) + if err != nil { + return err + } + + webhooksUntyped, _, err := unstructured.NestedSlice(resourceWebhook.UnstructuredContent(), "webhooks") + if err != nil { + return errors.Wrapf(err, "unable to fetch tag webhooks for %s/%s", webhookKind, webhookName) + } + + newWebooks := make([]interface{}, len(webhooksUntyped)) + copy(newWebooks, webhooksUntyped) + var changed bool + for i, webhookUntyed := range webhooksUntyped { + existingWebhook, ok := webhookUntyed.(map[string]interface{}) + if !ok { + logger.Error(errors.New("type mismatched"), "expected map[string]interface{}, got %T", webhooksUntyped) + continue + } + + failurePolicy, _, err := unstructured.NestedString(existingWebhook, "failurePolicy") + if err != nil { + logger.Error(errors.New("type mismatched"), "expected string, got %T", failurePolicy) + continue + + } + + rules, _, err := unstructured.NestedSlice(existingWebhook, "rules") + if err != nil { + logger.Error(err, "type mismatched, expected []interface{}, got %T", rules) + continue + } + + newWebhook := webhooksMap[webhookKey(webhookKind, failurePolicy)] + w, ok := newWebhook.(*webhook) + if !ok { + logger.Error(errors.New("type mismatched"), "expected *webhook, got %T", newWebooks) + continue + } + + if !reflect.DeepEqual(rules, []interface{}{w.rule}) { + changed = true + + tmpRules, ok := newWebooks[i].(map[string]interface{})["rules"].([]interface{}) + if !ok { + // init operations + ops := []string{string(admregapi.Create), string(admregapi.Update), string(admregapi.Delete), string(admregapi.Connect)} + if webhookKind == kindMutating { + ops = []string{string(admregapi.Create), string(admregapi.Update)} + } + + tmpRules = []interface{}{map[string]interface{}{}} + if err = unstructured.SetNestedStringSlice(tmpRules[0].(map[string]interface{}), ops, "operations"); err != nil { + return errors.Wrapf(err, "unable to set webhooks[%d].rules[0].%s", i, apiGroups) + } + } + + if w.rule == nil || reflect.DeepEqual(w.rule, map[string]interface{}{}) { + // zero kyverno policy with the current failurePolicy, reset webhook rules to empty + newWebooks[i].(map[string]interface{})["rules"] = []interface{}{} + continue + } + + if err = unstructured.SetNestedStringSlice(tmpRules[0].(map[string]interface{}), w.rule[apiGroups].([]string), apiGroups); err != nil { + return errors.Wrapf(err, "unable to set webhooks[%d].rules[0].%s", i, apiGroups) + } + if err = unstructured.SetNestedStringSlice(tmpRules[0].(map[string]interface{}), w.rule[apiVersions].([]string), apiVersions); err != nil { + return errors.Wrapf(err, "unable to set webhooks[%d].rules[0].%s", i, apiVersions) + } + if err = unstructured.SetNestedStringSlice(tmpRules[0].(map[string]interface{}), w.rule[resources].([]string), resources); err != nil { + return errors.Wrapf(err, "unable to set webhooks[%d].rules[0].%s", i, resources) + } + + newWebooks[i].(map[string]interface{})["rules"] = tmpRules + } + + if err = unstructured.SetNestedField(newWebooks[i].(map[string]interface{}), w.maxWebhookTimeout, "timeoutSeconds"); err != nil { + return errors.Wrapf(err, "unable to set webhooks[%d].timeoutSeconds to %v", i, w.maxWebhookTimeout) + } + } + + if changed { + logger.V(4).Info("webhook configuration has been changed, updating") + if err := unstructured.SetNestedSlice(resourceWebhook.UnstructuredContent(), newWebooks, "webhooks"); err != nil { + return errors.Wrap(err, "unable to set new webhooks") + } + + if _, err := m.client.UpdateResource(resourceWebhook.GetAPIVersion(), resourceWebhook.GetKind(), "", resourceWebhook, false); err != nil { + return errors.Wrapf(err, "unable to update %s/%s: %s", resourceWebhook.GetAPIVersion(), resourceWebhook.GetKind(), resourceWebhook.GetName()) + } + + logger.V(4).Info("successfully updated the webhook configuration") + } + + return nil +} + +func (m *webhookConfigManager) updateStatus(policy *kyverno.ClusterPolicy) error { + policyCopy := policy.DeepCopy() + policyCopy.Status.Ready = true + if policy.GetNamespace() == "" { + _, err := m.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(context.TODO(), policyCopy, v1.UpdateOptions{}) + return err + } + + _, err := m.kyvernoClient.KyvernoV1().Policies(policyCopy.GetNamespace()).UpdateStatus(context.TODO(), (*kyverno.Policy)(policyCopy), v1.UpdateOptions{}) + return err +} + +// mergeWebhook merges the matching kinds of the policy to webhook.rule +func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.ClusterPolicy) { + matchedGVK := make([]string, 0) + for _, rule := range policy.Spec.Rules { + matchedGVK = append(matchedGVK, rule.MatchKinds()...) + if rule.HasGenerate() { + matchedGVK = append(matchedGVK, rule.Generation.ResourceSpec.Kind) + } + } + + gvkMap := make(map[string]int) + gvrList := make([]schema.GroupVersionResource, 0) + for _, gvk := range matchedGVK { + if _, ok := gvkMap[gvk]; !ok { + gvkMap[gvk] = 1 + + // note: webhook stores GVR in its rules while policy stores GVK in its rules definition + gv, k := common.GetKindFromGVK(gvk) + _, gvr, err := m.client.DiscoveryClient.FindResource(gv, k) + if err != nil { + continue + } + gvrList = append(gvrList, gvr) + } + } + + var groups, versions, rsrcs []string + if val, ok := dst.rule[apiGroups]; ok { + groups = make([]string, len(val.([]string))) + copy(groups, val.([]string)) + } + + if val, ok := dst.rule[apiVersions]; ok { + versions = make([]string, len(val.([]string))) + copy(versions, val.([]string)) + } + if val, ok := dst.rule[resources]; ok { + rsrcs = make([]string, len(val.([]string))) + copy(rsrcs, val.([]string)) + } + + for _, gvr := range gvrList { + groups = append(groups, gvr.Group) + versions = append(versions, gvr.Version) + rsrcs = append(rsrcs, gvr.Resource) + } + + dst.rule[apiGroups] = removeDuplicates(groups) + dst.rule[apiVersions] = removeDuplicates(versions) + dst.rule[resources] = removeDuplicates(rsrcs) + + if policy.Spec.WebhookTimeoutSeconds != nil { + if dst.maxWebhookTimeout < int64(*policy.Spec.WebhookTimeoutSeconds) { + dst.maxWebhookTimeout = int64(*policy.Spec.WebhookTimeoutSeconds) + } + } +} + +func removeDuplicates(items []string) (res []string) { + set := make(map[string]int) + for _, item := range items { + if _, ok := set[item]; !ok { + set[item] = 1 + res = append(res, item) + } + } + return +} + +func newWebhook(kind string, timeout int64, failurePolicy kyverno.FailurePolicyType) *webhook { + return &webhook{ + kind: kind, + maxWebhookTimeout: timeout, + failurePolicy: failurePolicy, + rule: make(map[string]interface{}), + } +} + +func webhookKey(webhookKind, failurePolicy string) string { + return strings.Join([]string{webhookKind, failurePolicy}, "/") +} + +func hasWildcard(policy interface{}) bool { + if p, ok := policy.(*kyverno.ClusterPolicy); ok { + for _, rule := range p.Spec.Rules { + if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") { + return true + } + } + } + + if p, ok := policy.(*kyverno.Policy); ok { + for _, rule := range p.Spec.Rules { + if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") { + return true + } + } + } + return false +} + +func setWildcardConfig(w *webhook) { + w.rule[apiGroups] = []string{"*"} + w.rule[apiVersions] = []string{"*"} + w.rule[resources] = []string{"*/*"} +} diff --git a/pkg/webhookconfig/monitor.go b/pkg/webhookconfig/monitor.go index 84139a016d..65982a2625 100644 --- a/pkg/webhookconfig/monitor.go +++ b/pkg/webhookconfig/monitor.go @@ -74,7 +74,7 @@ func (t *Monitor) SetTime(tm time.Time) { // Run runs the checker and verify the resource update func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen event.Interface, stopCh <-chan struct{}) { - logger := t.log + logger := t.log.WithName("webhookMonitor") logger.V(4).Info("starting webhook monitor", "interval", idleCheckInterval.String()) status := newStatusControl(register, eventGen, t.log.WithName("WebhookStatusControl")) @@ -82,8 +82,23 @@ func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen ticker := time.NewTicker(tickerInterval) defer ticker.Stop() + createDefaultWebhook := register.createDefaultWebhook for { select { + case webhookKind := <-createDefaultWebhook: + logger.Info("received recreation request for resource webhook") + if webhookKind == kindMutating { + err := register.createResourceMutatingWebhookConfiguration(register.readCaData()) + if err != nil { + logger.Error(err, "failed to create default MutatingWebhookConfiguration for resources, the webhook will be reconciled", "interval", tickerInterval) + } + } else if webhookKind == kindValidating { + err := register.createResourceValidatingWebhookConfiguration(register.readCaData()) + if err != nil { + logger.Error(err, "failed to create default ValidatingWebhookConfiguration for resources, the webhook will be reconciled", "interval", tickerInterval) + } + } + case <-ticker.C: err := registerWebhookIfNotPresent(register, t.log.WithName("registerWebhookIfNotPresent")) diff --git a/pkg/webhookconfig/policy.go b/pkg/webhookconfig/policy.go index 0010270f1e..4d36b3ebb2 100644 --- a/pkg/webhookconfig/policy.go +++ b/pkg/webhookconfig/policy.go @@ -4,11 +4,11 @@ import ( "fmt" "github.com/kyverno/kyverno/pkg/config" - admregapi "k8s.io/api/admissionregistration/v1beta1" + admregapi "k8s.io/api/admissionregistration/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func (wrc *Register) contructPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { +func (wrc *Register) constructPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { return &admregapi.ValidatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ @@ -24,16 +24,19 @@ func (wrc *Register) contructPolicyValidatingWebhookConfig(caData []byte) *admre caData, true, wrc.timeoutSeconds, - []string{"clusterpolicies/*", "policies/*"}, - "kyverno.io", - "v1", + admregapi.Rule{ + Resources: []string{"clusterpolicies/*", "policies/*"}, + APIGroups: []string{"kyverno.io"}, + APIVersions: []string{"v1"}, + }, []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Ignore, ), }, } } -func (wrc *Register) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { +func (wrc *Register) constructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath) logger.V(4).Info("Debug PolicyValidatingWebhookConfig is registered with url ", "url", url) @@ -49,16 +52,19 @@ func (wrc *Register) contructDebugPolicyValidatingWebhookConfig(caData []byte) * caData, true, wrc.timeoutSeconds, - []string{"clusterpolicies/*", "policies/*"}, - "kyverno.io", - "v1", + admregapi.Rule{ + Resources: []string{"clusterpolicies/*", "policies/*"}, + APIGroups: []string{"kyverno.io"}, + APIVersions: []string{"v1"}, + }, []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Ignore, ), }, } } -func (wrc *Register) contructPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { +func (wrc *Register) constructPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { return &admregapi.MutatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.PolicyMutatingWebhookConfigurationName, @@ -73,16 +79,19 @@ func (wrc *Register) contructPolicyMutatingWebhookConfig(caData []byte) *admrega caData, true, wrc.timeoutSeconds, - []string{"clusterpolicies/*", "policies/*"}, - "kyverno.io", - "v1", + admregapi.Rule{ + Resources: []string{"clusterpolicies/*", "policies/*"}, + APIGroups: []string{"kyverno.io"}, + APIVersions: []string{"v1"}, + }, []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Ignore, ), }, } } -func (wrc *Register) contructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { +func (wrc *Register) constructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyMutatingWebhookServicePath) logger.V(4).Info("Debug PolicyMutatingWebhookConfig is registered with url ", "url", url) @@ -98,10 +107,13 @@ func (wrc *Register) contructDebugPolicyMutatingWebhookConfig(caData []byte) *ad caData, true, wrc.timeoutSeconds, - []string{"clusterpolicies/*", "policies/*"}, - "kyverno.io", - "v1", + admregapi.Rule{ + Resources: []string{"clusterpolicies/*", "policies/*"}, + APIGroups: []string{"kyverno.io"}, + APIVersions: []string{"v1"}, + }, []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Ignore, ), }, } diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 593a2925ce..9b6978dfa6 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -8,12 +8,14 @@ import ( "time" "github.com/go-logr/logr" + kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned" + kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" "github.com/kyverno/kyverno/pkg/config" client "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/resourcecache" "github.com/kyverno/kyverno/pkg/tls" "github.com/pkg/errors" - admregapi "k8s.io/api/admissionregistration/v1beta1" + admregapi "k8s.io/api/admissionregistration/v1" corev1 "k8s.io/api/core/v1" errorsapi "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -34,36 +36,54 @@ const ( // 4. Resource Mutation // 5. Webhook Status Mutation type Register struct { - client *client.Client - clientConfig *rest.Config - resCache resourcecache.ResourceCache - serverIP string // when running outside a cluster - timeoutSeconds int32 - log logr.Logger - debug bool + client *client.Client + clientConfig *rest.Config + resCache resourcecache.ResourceCache + serverIP string // when running outside a cluster + timeoutSeconds int32 + log logr.Logger + debug bool + autoUpdateWebhooks bool - UpdateWebhookChan chan bool + UpdateWebhookChan chan bool + createDefaultWebhook chan string + + // manage implements methods to manage webhook configurations + manage } // NewRegister creates new Register instance func NewRegister( clientConfig *rest.Config, client *client.Client, + kyvernoClient *kyvernoclient.Clientset, resCache resourcecache.ResourceCache, + pInformer kyvernoinformer.ClusterPolicyInformer, + npInformer kyvernoinformer.PolicyInformer, serverIP string, webhookTimeout int32, debug bool, + autoUpdateWebhooks bool, + stopCh <-chan struct{}, log logr.Logger) *Register { - return &Register{ - clientConfig: clientConfig, - client: client, - resCache: resCache, - serverIP: serverIP, - timeoutSeconds: webhookTimeout, - log: log.WithName("Register"), - debug: debug, - UpdateWebhookChan: make(chan bool), + register := &Register{ + clientConfig: clientConfig, + client: client, + resCache: resCache, + serverIP: serverIP, + timeoutSeconds: webhookTimeout, + log: log.WithName("Register"), + debug: debug, + autoUpdateWebhooks: autoUpdateWebhooks, + UpdateWebhookChan: make(chan bool), + createDefaultWebhook: make(chan string), } + + if register.autoUpdateWebhooks { + register.manage = newWebhookConfigManager(client, kyvernoClient, pInformer, npInformer, resCache, register.createDefaultWebhook, stopCh, log.WithName("WebhookConfigManager")) + } + + return register } // Register clean up the old webhooks and re-creates admission webhooks configs on cluster @@ -109,6 +129,9 @@ func (wrc *Register) Register() error { return fmt.Errorf("%s", strings.Join(errors, ",")) } + if wrc.autoUpdateWebhooks { + go wrc.manage.start() + } return nil } @@ -121,19 +144,19 @@ func (wrc *Register) Check() error { return err } - if _, err := mutatingCache.Lister().Get(wrc.getResourceMutatingWebhookConfigName()); err != nil { + if _, err := mutatingCache.Lister().Get(getResourceMutatingWebhookConfigName(wrc.serverIP)); err != nil { return err } - if _, err := validatingCache.Lister().Get(wrc.getResourceValidatingWebhookConfigName()); err != nil { + if _, err := validatingCache.Lister().Get(getResourceValidatingWebhookConfigName(wrc.serverIP)); err != nil { return err } - if _, err := mutatingCache.Lister().Get(wrc.getPolicyMutatingWebhookConfigurationName()); err != nil { + if _, err := mutatingCache.Lister().Get(getPolicyMutatingWebhookConfigurationName(wrc.serverIP)); err != nil { return err } - if _, err := validatingCache.Lister().Get(wrc.getPolicyValidatingWebhookConfigurationName()); err != nil { + if _, err := validatingCache.Lister().Get(getPolicyValidatingWebhookConfigurationName(wrc.serverIP)); err != nil { return err } @@ -151,10 +174,11 @@ func (wrc *Register) Remove(cleanUp chan<- struct{}) { wrc.removeSecrets() } +// +deprecated // UpdateWebhookConfigurations updates resource webhook configurations dynamically // base on the UPDATEs of Kyverno init-config ConfigMap // -// it currently updates namespaceSelector only, can be extend to update other fieids +// it currently updates namespaceSelector only, can be extend to update other fields func (wrc *Register) UpdateWebhookConfigurations(configHandler config.Interface) { logger := wrc.log.WithName("UpdateWebhookConfigurations") for { @@ -178,17 +202,17 @@ func (wrc *Register) UpdateWebhookConfigurations(configHandler config.Interface) } if err := wrc.updateResourceMutatingWebhookConfiguration(nsSelector); err != nil { - logger.Error(err, "unable to update mutatingWebhookConfigurations", "name", wrc.getResourceMutatingWebhookConfigName()) + logger.Error(err, "unable to update mutatingWebhookConfigurations", "name", getResourceMutatingWebhookConfigName(wrc.serverIP)) go func() { wrc.UpdateWebhookChan <- true }() } else { - logger.Info("successfully updated mutatingWebhookConfigurations", "name", wrc.getResourceMutatingWebhookConfigName()) + logger.Info("successfully updated mutatingWebhookConfigurations", "name", getResourceMutatingWebhookConfigName(wrc.serverIP)) } if err := wrc.updateResourceValidatingWebhookConfiguration(nsSelector); err != nil { - logger.Error(err, "unable to update validatingWebhookConfigurations", "name", wrc.getResourceValidatingWebhookConfigName()) + logger.Error(err, "unable to update validatingWebhookConfigurations", "name", getResourceValidatingWebhookConfigName(wrc.serverIP)) go func() { wrc.UpdateWebhookChan <- true }() } else { - logger.Info("successfully updated validatingWebhookConfigurations", "name", wrc.getResourceValidatingWebhookConfigName()) + logger.Info("successfully updated validatingWebhookConfigurations", "name", getResourceValidatingWebhookConfigName(wrc.serverIP)) } } } @@ -302,9 +326,9 @@ func (wrc *Register) createPolicyValidatingWebhookConfiguration(caData []byte) e var config *admregapi.ValidatingWebhookConfiguration if wrc.serverIP != "" { - config = wrc.contructDebugPolicyValidatingWebhookConfig(caData) + config = wrc.constructDebugPolicyValidatingWebhookConfig(caData) } else { - config = wrc.contructPolicyValidatingWebhookConfig(caData) + config = wrc.constructPolicyValidatingWebhookConfig(caData) } if _, err := wrc.client.CreateResource("", kindValidating, "", *config, false); err != nil { @@ -324,9 +348,9 @@ func (wrc *Register) createPolicyMutatingWebhookConfiguration(caData []byte) err var config *admregapi.MutatingWebhookConfiguration if wrc.serverIP != "" { - config = wrc.contructDebugPolicyMutatingWebhookConfig(caData) + config = wrc.constructDebugPolicyMutatingWebhookConfig(caData) } else { - config = wrc.contructPolicyMutatingWebhookConfig(caData) + config = wrc.constructPolicyMutatingWebhookConfig(caData) } // create mutating webhook configuration resource @@ -387,7 +411,7 @@ func (wrc *Register) removeWebhookConfigurations() { func (wrc *Register) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - mutatingConfig := wrc.getPolicyMutatingWebhookConfigurationName() + mutatingConfig := getPolicyMutatingWebhookConfigurationName(wrc.serverIP) logger := wrc.log.WithValues("kind", kindMutating, "name", mutatingConfig) @@ -412,9 +436,9 @@ func (wrc *Register) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup logger.Info("webhook configuration deleted") } -func (wrc *Register) getPolicyMutatingWebhookConfigurationName() string { +func getPolicyMutatingWebhookConfigurationName(serverIP string) string { var mutatingConfig string - if wrc.serverIP != "" { + if serverIP != "" { mutatingConfig = config.PolicyMutatingWebhookConfigurationDebugName } else { mutatingConfig = config.PolicyMutatingWebhookConfigurationName @@ -425,7 +449,7 @@ func (wrc *Register) getPolicyMutatingWebhookConfigurationName() string { func (wrc *Register) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - validatingConfig := wrc.getPolicyValidatingWebhookConfigurationName() + validatingConfig := getPolicyValidatingWebhookConfigurationName(wrc.serverIP) logger := wrc.log.WithValues("kind", kindValidating, "name", validatingConfig) if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok { @@ -450,9 +474,9 @@ func (wrc *Register) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGro logger.Info("webhook configuration deleted") } -func (wrc *Register) getPolicyValidatingWebhookConfigurationName() string { +func getPolicyValidatingWebhookConfigurationName(serverIP string) string { var validatingConfig string - if wrc.serverIP != "" { + if serverIP != "" { validatingConfig = config.PolicyValidatingWebhookConfigurationDebugName } else { validatingConfig = config.PolicyValidatingWebhookConfigurationName @@ -475,10 +499,13 @@ func (wrc *Register) constructVerifyMutatingWebhookConfig(caData []byte) *admreg caData, true, wrc.timeoutSeconds, - []string{"deployments/*"}, - "apps", - "v1", + admregapi.Rule{ + Resources: []string{"deployments/*"}, + APIGroups: []string{"apps"}, + APIVersions: []string{"v1"}, + }, []admregapi.OperationType{admregapi.Update}, + admregapi.Ignore, ), }, } @@ -499,10 +526,13 @@ func (wrc *Register) constructDebugVerifyMutatingWebhookConfig(caData []byte) *a caData, true, wrc.timeoutSeconds, - []string{"deployments/*"}, - "apps", - "v1", + admregapi.Rule{ + Resources: []string{"deployments/*"}, + APIGroups: []string{"apps"}, + APIVersions: []string{"v1"}, + }, []admregapi.OperationType{admregapi.Update}, + admregapi.Ignore, ), }, } @@ -597,7 +627,7 @@ func (wrc *Register) checkEndpoint() error { } if podIp == "" { - return fmt.Errorf("Pod is not assigned to any node yet") + return fmt.Errorf("pod is not assigned to any node yet") } for _, subset := range endpoint.Subsets { @@ -616,7 +646,7 @@ func (wrc *Register) checkEndpoint() error { // clean up old webhook configurations, if any wrc.removeWebhookConfigurations() - err = fmt.Errorf("Endpoint not ready") + err = fmt.Errorf("endpoint not ready") wrc.log.V(3).Info(err.Error(), "ns", config.KyvernoNamespace, "name", config.KyvernoServiceName) return err } @@ -624,7 +654,7 @@ func (wrc *Register) checkEndpoint() error { func (wrc *Register) updateResourceValidatingWebhookConfiguration(nsSelector map[string]interface{}) error { validatingCache, _ := wrc.resCache.GetGVRCache(kindValidating) - resourceValidating, err := validatingCache.Lister().Get(wrc.getResourceValidatingWebhookConfigName()) + resourceValidating, err := validatingCache.Lister().Get(getResourceValidatingWebhookConfigName(wrc.serverIP)) if err != nil { return errors.Wrapf(err, "unable to get validatingWebhookConfigurations") } @@ -660,7 +690,7 @@ func (wrc *Register) updateResourceValidatingWebhookConfiguration(nsSelector map func (wrc *Register) updateResourceMutatingWebhookConfiguration(nsSelector map[string]interface{}) error { mutatingCache, _ := wrc.resCache.GetGVRCache(kindMutating) - resourceMutating, err := mutatingCache.Lister().Get(wrc.getResourceMutatingWebhookConfigName()) + resourceMutating, err := mutatingCache.Lister().Get(getResourceMutatingWebhookConfigName(wrc.serverIP)) if err != nil { return errors.Wrapf(err, "unable to get mutatingWebhookConfigurations") } diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go index 45aa28b7bc..5dfd75cb5b 100644 --- a/pkg/webhookconfig/resource.go +++ b/pkg/webhookconfig/resource.go @@ -5,12 +5,23 @@ import ( "sync" "github.com/kyverno/kyverno/pkg/config" - admregapi "k8s.io/api/admissionregistration/v1beta1" - "k8s.io/apimachinery/pkg/api/errors" + admregapi "k8s.io/api/admissionregistration/v1" errorsapi "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +func (wrc *Register) defaultResourceWebhookRule() admregapi.Rule { + if wrc.autoUpdateWebhooks { + return admregapi.Rule{} + } + + return admregapi.Rule{ + Resources: []string{"*/*"}, + APIGroups: []string{"*"}, + APIVersions: []string{"*"}, + } +} + func (wrc *Register) constructDefaultDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath) @@ -21,32 +32,30 @@ func (wrc *Register) constructDefaultDebugMutatingWebhookConfig(caData []byte) * }, Webhooks: []admregapi.MutatingWebhook{ generateDebugMutatingWebhook( - config.MutatingWebhookName, + config.MutatingWebhookName+"-ignore", url, caData, true, wrc.timeoutSeconds, - []string{"*/*"}, - "*", - "*", + wrc.defaultResourceWebhookRule(), []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Ignore, + ), + generateDebugMutatingWebhook( + config.MutatingWebhookName+"-fail", + url, + caData, + true, + wrc.timeoutSeconds, + wrc.defaultResourceWebhookRule(), + []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Fail, ), }, } } func (wrc *Register) constructDefaultMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { - - webhookCfg := generateMutatingWebhook( - config.MutatingWebhookName, - config.MutatingWebhookServicePath, - caData, false, wrc.timeoutSeconds, - []string{"*/*"}, "*", "*", - []admregapi.OperationType{admregapi.Create, admregapi.Update}) - - reinvoke := admregapi.IfNeededReinvocationPolicy - webhookCfg.ReinvocationPolicy = &reinvoke - return &admregapi.MutatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.MutatingWebhookConfigurationName, @@ -54,13 +63,34 @@ func (wrc *Register) constructDefaultMutatingWebhookConfig(caData []byte) *admre wrc.constructOwner(), }, }, - Webhooks: []admregapi.MutatingWebhook{webhookCfg}, + Webhooks: []admregapi.MutatingWebhook{ + generateMutatingWebhook( + config.MutatingWebhookName+"-ignore", + config.MutatingWebhookServicePath, + caData, + false, + wrc.timeoutSeconds, + wrc.defaultResourceWebhookRule(), + []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Ignore, + ), + generateMutatingWebhook( + config.MutatingWebhookName+"-fail", + config.MutatingWebhookServicePath, + caData, + false, + wrc.timeoutSeconds, + wrc.defaultResourceWebhookRule(), + []admregapi.OperationType{admregapi.Create, admregapi.Update}, + admregapi.Fail, + ), + }, } } //getResourceMutatingWebhookConfigName returns the webhook configuration name -func (wrc *Register) getResourceMutatingWebhookConfigName() string { - if wrc.serverIP != "" { +func getResourceMutatingWebhookConfigName(serverIP string) string { + if serverIP != "" { return config.MutatingWebhookConfigurationDebugName } return config.MutatingWebhookConfigurationName @@ -69,7 +99,7 @@ func (wrc *Register) getResourceMutatingWebhookConfigName() string { func (wrc *Register) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - configName := wrc.getResourceMutatingWebhookConfigName() + configName := getResourceMutatingWebhookConfigName(wrc.serverIP) logger := wrc.log.WithValues("kind", kindMutating, "name", configName) if mutateCache, ok := wrc.resCache.GetGVRCache("MutatingWebhookConfiguration"); ok { @@ -81,7 +111,7 @@ func (wrc *Register) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGro // delete webhook configuration err := wrc.client.DeleteResource("", kindMutating, "", configName, false) - if errors.IsNotFound(err) { + if errorsapi.IsNotFound(err) { logger.V(4).Info("webhook configuration not found") return } @@ -103,15 +133,24 @@ func (wrc *Register) constructDefaultDebugValidatingWebhookConfig(caData []byte) }, Webhooks: []admregapi.ValidatingWebhook{ generateDebugValidatingWebhook( - config.ValidatingWebhookName, + config.ValidatingWebhookName+"-ignore", url, caData, true, wrc.timeoutSeconds, - []string{"*/*"}, - "*", - "*", + wrc.defaultResourceWebhookRule(), []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete, admregapi.Connect}, + admregapi.Ignore, + ), + generateDebugValidatingWebhook( + config.ValidatingWebhookName+"-fail", + url, + caData, + true, + wrc.timeoutSeconds, + wrc.defaultResourceWebhookRule(), + []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete, admregapi.Connect}, + admregapi.Fail, ), }, } @@ -127,23 +166,32 @@ func (wrc *Register) constructDefaultValidatingWebhookConfig(caData []byte) *adm }, Webhooks: []admregapi.ValidatingWebhook{ generateValidatingWebhook( - config.ValidatingWebhookName, + config.ValidatingWebhookName+"-ignore", config.ValidatingWebhookServicePath, caData, false, wrc.timeoutSeconds, - []string{"*/*"}, - "*", - "*", + wrc.defaultResourceWebhookRule(), []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete, admregapi.Connect}, + admregapi.Ignore, + ), + generateValidatingWebhook( + config.ValidatingWebhookName+"-fail", + config.ValidatingWebhookServicePath, + caData, + false, + wrc.timeoutSeconds, + wrc.defaultResourceWebhookRule(), + []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete, admregapi.Connect}, + admregapi.Fail, ), }, } } // getResourceValidatingWebhookConfigName returns the webhook configuration name -func (wrc *Register) getResourceValidatingWebhookConfigName() string { - if wrc.serverIP != "" { +func getResourceValidatingWebhookConfigName(serverIP string) string { + if serverIP != "" { return config.ValidatingWebhookConfigurationDebugName } @@ -153,7 +201,7 @@ func (wrc *Register) getResourceValidatingWebhookConfigName() string { func (wrc *Register) removeResourceValidatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - configName := wrc.getResourceValidatingWebhookConfigName() + configName := getResourceValidatingWebhookConfigName(wrc.serverIP) logger := wrc.log.WithValues("kind", kindValidating, "name", configName) if mutateCache, ok := wrc.resCache.GetGVRCache("ValidatingWebhookConfiguration"); ok { @@ -164,7 +212,7 @@ func (wrc *Register) removeResourceValidatingWebhookConfiguration(wg *sync.WaitG } err := wrc.client.DeleteResource("", kindValidating, "", configName, false) - if errors.IsNotFound(err) { + if errorsapi.IsNotFound(err) { logger.V(5).Info("webhook configuration not found") return } @@ -175,5 +223,4 @@ func (wrc *Register) removeResourceValidatingWebhookConfiguration(wg *sync.WaitG } logger.Info("webhook configuration deleted") - return } diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go index 3a09c50ff4..6e8d28ba4f 100644 --- a/pkg/webhooks/generate/generate.go +++ b/pkg/webhooks/generate/generate.go @@ -116,8 +116,6 @@ func retryApplyResource(client *kyvernoclient.Clientset, grSpec kyverno.Generate gr.SetNamespace(config.KyvernoNamespace) // Initial state "Pending" - // TODO: status is not updated - // gr.Status.State = kyverno.Pending // generate requests created in kyverno namespace isExist := false if action == v1beta1.Create || action == v1beta1.Update { diff --git a/test/e2e/common/common.go b/test/e2e/common/common.go index b0f56c35bb..1dc9682979 100644 --- a/test/e2e/common/common.go +++ b/test/e2e/common/common.go @@ -34,7 +34,7 @@ func CallMetrics() (string, error) { func ProcessMetrics(newStr, e2ePolicyName string) error { splitByNewLine := strings.Split(newStr, "\n") for _, lineSplitByNewLine := range splitByNewLine { - // kyverno_policy_rule_info_total{policy_background_mode=\"false\",policy_name=\"gen-cluster-policy\",policy_namespace=\"-\",policy_type=\"cluster\",policy_validation_mode=\"audit\",rule_name=\"gen-cluster-role\",rule_type=\"generate\"} 1 + // kyverno_policy_rule_info_total{policy_background_mode=\"false\",policy_name=\"gen-cluster-policy\",policy_namespace=\"-\",policy_type=\"cluster\",policy_validation_mode=\"audit\",rule_name=\"gen-cluster-role\",rule_type=\"generate\",status_ready="false"} 1 if !strings.HasPrefix(lineSplitByNewLine, "kyverno_policy_rule_info_total{") { continue } @@ -48,10 +48,18 @@ func ProcessMetrics(newStr, e2ePolicyName string) error { if strings.HasPrefix(lineSplitByComma, "policy_name=") { splitByQuote := strings.Split(lineSplitByComma, "\"") policyName := splitByQuote[1] - if policyName == e2ePolicyName { + if policyName != e2ePolicyName { + continue + } + } + if strings.HasPrefix(lineSplitByComma, "status_ready=") { + splitByQuote := strings.Split(lineSplitByComma, "\"") + status := splitByQuote[1] + if status == "true" { return nil } } + } } From 364174d372f15e7a614474cd787b3a9d790d6f00 Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Tue, 5 Oct 2021 14:57:48 +0530 Subject: [PATCH 49/50] removed print statements Signed-off-by: NoSkillGirl --- pkg/kyverno/test/test_command.go | 40 -------------------------------- 1 file changed, 40 deletions(-) diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 3294e53744..15e80febf3 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -391,10 +391,7 @@ func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResu } } - // fmt.Println("3*****resultsKey: ", resultsKey) - patcheResourcePath = append(patcheResourcePath, test.PatchedResource) - if _, ok := results[resultsKey]; !ok { results[resultsKey] = result } @@ -471,7 +468,6 @@ func GetAllPossibleResultsKey(policyNs, policy, rule, resourceNsnamespace, kind, resultKey3 := fmt.Sprintf("%s-%s-%s-%s-%s", policyNs, policy, rule, kind, resource) resultKey4 := fmt.Sprintf("%s-%s-%s-%s-%s-%s", policyNs, policy, rule, resourceNsnamespace, kind, resource) resultsKey = append(resultsKey, resultKey1, resultKey2, resultKey3, resultKey4) - // fmt.Println("resultsKey: ", resultsKey) return resultsKey } @@ -650,17 +646,9 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s } engineResponses = append(engineResponses, ers...) pvInfos = append(pvInfos, info) - // er, _ := json.Marshal(ers) - // fmt.Println("\nEngineResponses: ", string(er)) - // pvI, _ := json.Marshal(pvInfos) - // fmt.Println("\npvInfos: ", string(pvI)) } } resultsMap, testResults := buildPolicyResults(engineResponses, values.Results, pvInfos, policyResourcePath, fs, isGit) - // rm, _ := json.Marshal(resultsMap) - // fmt.Println("\nresultsMap: ", string(rm)) - // tr, _ := json.Marshal(testResults) - // fmt.Println("\testResults: ", string(tr)) resultErr := printTestResult(resultsMap, testResults, rc) if resultErr != nil { return sanitizederror.NewWithError("failed to print test result:", resultErr) @@ -687,82 +675,54 @@ func printTestResult(resps map[string]report.PolicyReportResult, testResults []T if v.Namespace != "" { namespace = v.Namespace } - // fmt.Println("namespace: ", namespace) res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) - // fmt.Println("res.Resource: ", res.Resource) var ruleNameInResultKey string - if v.AutoGeneratedRule != "" { ruleNameInResultKey = fmt.Sprintf("%s-%s", v.AutoGeneratedRule, v.Rule) - // fmt.Println("v.AutoGeneratedRule....ruleNameInResultKey: ", ruleNameInResultKey) } else { ruleNameInResultKey = v.Rule - // fmt.Println("else.....ruleNameInResultKey: ", ruleNameInResultKey) } resultKey := fmt.Sprintf("%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Kind, v.Resource) found, _ := isNamespacedPolicy(v.Policy) - // fmt.Println("resultKey: ", resultKey) - // fmt.Println("found; ", found) - var ns string - // fmt.Println("\nv.policy: ", v.Policy) ns, v.Policy = getUserDefinedPolicyNameAndNamespace(v.Policy) - // fmt.Println("nas: ", ns, "\nv.policy: ", v.Policy) - - // fmt.Println("found: ", found, " v.Namespace: ", v.Namespace) - // fmt.Println("1*******resultKey: ", resultKey) if found && v.Namespace != "" { resultKey = fmt.Sprintf("%s-%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) - // fmt.Println("1...\n resultKey: ", resultKey) } else if found { resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", ns, v.Policy, ruleNameInResultKey, v.Kind, v.Resource) res.Policy = boldFgCyan.Sprintf(ns) + "/" + boldFgCyan.Sprintf(v.Policy) res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) - // fmt.Println("2...\n resultKey: ", resultKey) - // fmt.Println("res.Policy: ", res.Policy) - // fmt.Println("res.Resource: ", res.Resource) } else if v.Namespace != "" { res.Resource = boldFgCyan.Sprintf(namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource) resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource) - // fmt.Println("3...\n resultKey: ", resultKey) - // fmt.Println("res.Resource: ", res.Resource) } - // fmt.Println("2*******resultKey: ", resultKey) var testRes report.PolicyReportResult if val, ok := resps[resultKey]; ok { testRes = val - // fmt.Println("1--- testRes: ", testRes) } else { res.Result = boldYellow.Sprintf("Not found") rc.Fail++ table = append(table, res) - // fmt.Println("2--- ") continue } - // fmt.Println("v.Result: ", v.Result, " v.Status: ", v.Status) if v.Result == "" && v.Status != "" { v.Result = v.Status - // fmt.Println("......v.Result: ", v.Result) } - // fmt.Println("v.Result: ", v.Result, " testRes.Result: ", testRes.Result) if testRes.Result == v.Result { res.Result = boldGreen.Sprintf("Pass") if testRes.Result == report.StatusSkip { - // fmt.Println("skip....") res.Result = boldGreen.Sprintf("Pass") rc.Skip++ } else { - // fmt.Println("pass....") res.Result = boldGreen.Sprintf("Pass") rc.Pass++ } } else { - // fmt.Println("fail....") res.Result = boldRed.Sprintf("Fail") rc.Fail++ } From 92ca609c7c0ed872922db0de118dd42ac66d59c4 Mon Sep 17 00:00:00 2001 From: ShubhamPalriwala Date: Tue, 5 Oct 2021 11:52:06 +0530 Subject: [PATCH 50/50] ci: scan kyverno-image on each build Signed-off-by: ShubhamPalriwala --- .github/workflows/build.yaml | 10 ++++++++++ .github/workflows/release.yaml | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 68ac4be20f..d1aa7c6288 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -113,6 +113,16 @@ jobs: run: | make docker-build-kyverno + - name: Trivy Scan Image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/kyverno/kyverno:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + build-kyverno-cli: runs-on: ubuntu-latest needs: pre-checks diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index eb8961226b..10ad75570e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -84,6 +84,16 @@ jobs: run: | make docker-publish-kyverno + - name: Trivy Scan Image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/kyverno/kyverno:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + release-kyverno-cli: runs-on: ubuntu-latest steps: