1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

feat: promote policy exceptions to v2 (#9208)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-12-19 12:43:39 +02:00 committed by GitHub
parent c395fcd9e2
commit 8e0a7aa204
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
73 changed files with 4664 additions and 79 deletions

View file

@ -396,7 +396,7 @@ image-build-all: $(BUILD_WITH)-build-all
GOPATH_SHIM := ${PWD}/.gopath
PACKAGE_SHIM := $(GOPATH_SHIM)/src/$(PACKAGE)
OUT_PACKAGE := $(PACKAGE)/pkg/client
INPUT_DIRS := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v2beta1,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/policyreport/v1alpha2
INPUT_DIRS := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v2,$(PACKAGE)/api/kyverno/v2beta1,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/policyreport/v1alpha2
CLIENTSET_PACKAGE := $(OUT_PACKAGE)/clientset
LISTERS_PACKAGE := $(OUT_PACKAGE)/listers
INFORMERS_PACKAGE := $(OUT_PACKAGE)/informers

20
api/kyverno/v2/doc.go Normal file
View file

@ -0,0 +1,20 @@
/*
Copyright 2020 The Kubernetes authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +k8s:deepcopy-gen=package
// +kubebuilder:object:generate=true
// +groupName=kyverno.io
package v2

View file

@ -0,0 +1,141 @@
/*
Copyright 2022 The Kubernetes authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v2
import (
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"github.com/kyverno/kyverno/ext/wildcard"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
)
// +genclient
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:shortName=polex,categories=kyverno
// +kubebuilder:storageversion
// PolicyException declares resources to be excluded from specified policies.
type PolicyException struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
}
// Validate implements programmatic validation
func (p *PolicyException) Validate() (errs field.ErrorList) {
errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
return errs
}
// Contains returns true if it contains an exception for the given policy/rule pair
func (p *PolicyException) Contains(policy string, rule string) bool {
return p.Spec.Contains(policy, rule)
}
// PolicyExceptionSpec stores policy exception spec
type PolicyExceptionSpec struct {
// Background controls if exceptions are applied to existing policies during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
// Match defines match clause used to check if a resource applies to the exception
Match kyvernov2beta1.MatchResources `json:"match" yaml:"match"`
// Conditions are used to determine if a resource applies to the exception by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
// +optional
Conditions *kyvernov2beta1.AnyAllConditions `json:"conditions,omitempty"`
// Exceptions is a list policy/rules to be excluded
Exceptions []Exception `json:"exceptions" yaml:"exceptions"`
}
func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool {
if p.Background == nil {
return true
}
return *p.Background
}
// Validate implements programmatic validation
func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
if p.BackgroundProcessingEnabled() {
if userErrs := p.Match.ValidateNoUserInfo(path.Child("match")); len(userErrs) > 0 {
errs = append(errs, userErrs...)
}
}
errs = append(errs, p.Match.Validate(path.Child("match"), false, nil)...)
exceptionsPath := path.Child("exceptions")
for i, e := range p.Exceptions {
errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
}
return errs
}
// Contains returns true if it contains an exception for the given policy/rule pair
func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool {
for _, exception := range p.Exceptions {
if exception.Contains(policy, rule) {
return true
}
}
return false
}
// Exception stores infos about a policy and rules
type Exception struct {
// PolicyName identifies the policy to which the exception is applied.
// The policy name uses the format <namespace>/<name> unless it
// references a ClusterPolicy.
PolicyName string `json:"policyName" yaml:"policyName"`
// RuleNames identifies the rules to which the exception is applied.
RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
}
// Validate implements programmatic validation
func (p *Exception) Validate(path *field.Path) (errs field.ErrorList) {
if p.PolicyName == "" {
errs = append(errs, field.Required(path.Child("policyName"), "An exception requires a policy name"))
}
return errs
}
// Contains returns true if it contains an exception for the given policy/rule pair
func (p *Exception) Contains(policy string, rule string) bool {
if p.PolicyName == policy {
for _, ruleName := range p.RuleNames {
if wildcard.Match(ruleName, rule) {
return true
}
}
}
return false
}
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PolicyExceptionList is a list of Policy Exceptions
type PolicyExceptionList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []PolicyException `json:"items" yaml:"items"`
}

View file

@ -0,0 +1,142 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v2
import (
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Exception) DeepCopyInto(out *Exception) {
*out = *in
if in.RuleNames != nil {
in, out := &in.RuleNames, &out.RuleNames
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
func (in *Exception) DeepCopy() *Exception {
if in == nil {
return nil
}
out := new(Exception)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyException) DeepCopyInto(out *PolicyException) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
func (in *PolicyException) DeepCopy() *PolicyException {
if in == nil {
return nil
}
out := new(PolicyException)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PolicyException) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]PolicyException, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList {
if in == nil {
return nil
}
out := new(PolicyExceptionList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PolicyExceptionList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec) {
*out = *in
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(bool)
**out = **in
}
in.Match.DeepCopyInto(&out.Match)
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = new(v2beta1.AnyAllConditions)
(*in).DeepCopyInto(*out)
}
if in.Exceptions != nil {
in, out := &in.Exceptions, &out.Exceptions
*out = make([]Exception, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec {
if in == nil {
return nil
}
out := new(PolicyExceptionSpec)
in.DeepCopyInto(out)
return out
}

View file

@ -0,0 +1,33 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by defaulter-gen. DO NOT EDIT.
package v2
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// RegisterDefaults adds defaulters functions to the given scheme.
// Public to allow building arbitrary schemes.
// All generated defaulters are covering - they call all nested defaulters.
func RegisterDefaults(scheme *runtime.Scheme) error {
return nil
}

View file

@ -0,0 +1,67 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by register-gen. DO NOT EDIT.
package v2
import (
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// GroupName specifies the group name used to register the objects.
const GroupName = "kyverno.io"
// GroupVersion specifies the group and the version used to register the objects.
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2"}
// SchemeGroupVersion is group version used to register these objects
// Deprecated: use GroupVersion instead.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2"}
// Resource takes an unqualified resource and returns a Group qualified GroupResource
func Resource(resource string) schema.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
var (
// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
SchemeBuilder runtime.SchemeBuilder
localSchemeBuilder = &SchemeBuilder
// Depreciated: use Install instead
AddToScheme = localSchemeBuilder.AddToScheme
Install = localSchemeBuilder.AddToScheme
)
func init() {
// We only register manually written functions here. The registration of the
// generated functions takes place in the generated files. The separation
// makes the code compile even when the generated files are missing.
localSchemeBuilder.Register(addKnownTypes)
}
// Adds the list of known types to Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&PolicyException{},
&PolicyExceptionList{},
)
// AddToGroupVersion allows the serialization of client types like ListOptions.
v1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}

View file

@ -25,7 +25,7 @@ import (
// +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:shortName=polex,categories=kyverno
// +kubebuilder:storageversion
// +kubebuilder:deprecatedversion
// PolicyException declares resources to be excluded from specified policies.
type PolicyException struct {

View file

@ -41827,6 +41827,597 @@ spec:
singular: policyexception
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
background:
description: Background controls if exceptions are applied to existing
policies during a background scan. Optional. Default value is "true".
The value must be set to "false" if the policy rule uses variables
that are only available in the admission review request (e.g. user
name).
type: boolean
conditions:
description: Conditions are used to determine if a resource applies
to the exception by evaluating a set of conditions. The declaration
can contain nested `any` or `all` statements.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
description: Exception stores infos about a policy and rules
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied. The policy name uses the format <namespace>/<name>
unless it references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- match
type: object
required:
- spec
type: object
served: true
storage: true
- deprecated: true
name: v2alpha1
schema:
@ -42419,7 +43010,8 @@ spec:
type: object
served: true
storage: false
- name: v2beta1
- deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
@ -43009,7 +43601,7 @@ spec:
- spec
type: object
served: true
storage: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: delta-exception

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2alpha1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: delta-exception

View file

@ -40,7 +40,7 @@ func TestCommandWithAny(t *testing.T) {
out, err := io.ReadAll(b)
assert.NoError(t, err)
expected := `
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: test
@ -72,7 +72,7 @@ func TestCommandWithAll(t *testing.T) {
out, err := io.ReadAll(b)
assert.NoError(t, err)
expected := `
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: test

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: {{ .Name }}

View file

@ -18,6 +18,597 @@ spec:
singular: policyexception
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
background:
description: Background controls if exceptions are applied to existing
policies during a background scan. Optional. Default value is "true".
The value must be set to "false" if the policy rule uses variables
that are only available in the admission review request (e.g. user
name).
type: boolean
conditions:
description: Conditions are used to determine if a resource applies
to the exception by evaluating a set of conditions. The declaration
can contain nested `any` or `all` statements.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
description: Exception stores infos about a policy and rules
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied. The policy name uses the format <namespace>/<name>
unless it references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- match
type: object
required:
- spec
type: object
served: true
storage: true
- deprecated: true
name: v2alpha1
schema:
@ -610,7 +1201,8 @@ spec:
type: object
served: true
storage: false
- name: v2beta1
- deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
@ -1200,4 +1792,4 @@ spec:
- spec
type: object
served: true
storage: true
storage: false

View file

@ -3,6 +3,7 @@ package exception
import (
"fmt"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data"
@ -14,25 +15,26 @@ import (
)
var (
factory, _ = resourceloader.New(openapiclient.NewComposite(openapiclient.NewLocalCRDFiles(data.Crds(), data.CrdsFolder)))
exceptionV1 = schema.GroupVersion(kyvernov2alpha1.GroupVersion).WithKind("PolicyException")
exceptionV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("PolicyException")
factory, _ = resourceloader.New(openapiclient.NewComposite(openapiclient.NewLocalCRDFiles(data.Crds(), data.CrdsFolder)))
exceptionV2alpha1 = schema.GroupVersion(kyvernov2alpha1.GroupVersion).WithKind("PolicyException")
exceptionV2beta1 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("PolicyException")
exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
)
func Load(content []byte) ([]*kyvernov2alpha1.PolicyException, error) {
func Load(content []byte) ([]*kyvernov2.PolicyException, error) {
documents, err := yamlutils.SplitDocuments(content)
if err != nil {
return nil, err
}
var exceptions []*kyvernov2alpha1.PolicyException
var exceptions []*kyvernov2.PolicyException
for _, document := range documents {
gvk, untyped, err := factory.Load(document)
if err != nil {
return nil, err
}
switch gvk {
case exceptionV1, exceptionV2:
exception, err := convert.To[kyvernov2alpha1.PolicyException](untyped)
case exceptionV2alpha1, exceptionV2beta1, exceptionV2:
exception, err := convert.To[kyvernov2.PolicyException](untyped)
if err != nil {
return nil, err
}

View file

@ -65,7 +65,7 @@ func NewExceptionSelector(
var exceptionsLister engineapi.PolicyExceptionSelector
if enablePolicyException {
factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
lister := factory.Kyverno().V2beta1().PolicyExceptions().Lister()
lister := factory.Kyverno().V2().PolicyExceptions().Lister()
if exceptionNamespace != "" {
exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
} else {

View file

@ -18,6 +18,597 @@ spec:
singular: policyexception
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
background:
description: Background controls if exceptions are applied to existing
policies during a background scan. Optional. Default value is "true".
The value must be set to "false" if the policy rule uses variables
that are only available in the admission review request (e.g. user
name).
type: boolean
conditions:
description: Conditions are used to determine if a resource applies
to the exception by evaluating a set of conditions. The declaration
can contain nested `any` or `all` statements.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
description: Exception stores infos about a policy and rules
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied. The policy name uses the format <namespace>/<name>
unless it references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- match
type: object
required:
- spec
type: object
served: true
storage: true
- deprecated: true
name: v2alpha1
schema:
@ -610,7 +1201,8 @@ spec:
type: object
served: true
storage: false
- name: v2beta1
- deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
@ -1200,4 +1792,4 @@ spec:
- spec
type: object
served: true
storage: true
storage: false

View file

@ -42050,6 +42050,597 @@ spec:
singular: policyexception
scope: Namespaced
versions:
- name: v2
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
policies.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
background:
description: Background controls if exceptions are applied to existing
policies during a background scan. Optional. Default value is "true".
The value must be set to "false" if the policy rule uses variables
that are only available in the admission review request (e.g. user
name).
type: boolean
conditions:
description: Conditions are used to determine if a resource applies
to the exception by evaluating a set of conditions. The declaration
can contain nested `any` or `all` statements.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
description: Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
message:
description: Message is an optional display message
type: string
operator:
description: 'Operator is the conditional operation to perform.
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
description: Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
exceptions:
description: Exceptions is a list policy/rules to be excluded
items:
description: Exception stores infos about a policy and rules
properties:
policyName:
description: PolicyName identifies the policy to which the exception
is applied. The policy name uses the format <namespace>/<name>
unless it references a ClusterPolicy.
type: string
ruleNames:
description: RuleNames identifies the rules to which the exception
is applied.
items:
type: string
type: array
required:
- policyName
- ruleNames
type: object
type: array
match:
description: Match defines match clause used to check if a resource
applies to the exception
properties:
all:
description: All allows specifying resources which will be ANDed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
description: Any allows specifying resources which will be ORed
items:
description: ResourceFilter allow users to "AND" or "OR" between
resources
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
names for the user.
items:
type: string
type: array
resources:
description: ResourceDescription contains information about
the resource being created or modified.
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
items:
type: string
type: array
name:
description: 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE: "Name" is being deprecated in favor of "Names".'
type: string
names:
description: Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items:
type: string
type: array
namespaceSelector:
description: 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
description: Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items:
type: string
type: array
operations:
description: Operations can contain values ["CREATE,
"UPDATE", "CONNECT", "DELETE"], which are used to
match a specific action.
items:
description: AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
description: Roles is the list of namespaced role names
for the user.
items:
type: string
type: array
subjects:
description: Subjects is the list of subject names like
users, user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
required:
- exceptions
- match
type: object
required:
- spec
type: object
served: true
storage: true
- deprecated: true
name: v2alpha1
schema:
@ -42642,7 +43233,8 @@ spec:
type: object
served: true
storage: false
- name: v2beta1
- deprecated: true
name: v2beta1
schema:
openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified
@ -43232,7 +43824,7 @@ spec:
- spec
type: object
served: true
storage: true
storage: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition

View file

@ -27,6 +27,9 @@ background-color: #1589dd;
<a href="#kyverno.io%2fv1beta1"><b style="color: white">kyverno.io/v1beta1</b></a>
</li>
<li>
<a href="#kyverno.io%2fv2"><b style="color: white">kyverno.io/v2</b></a>
</li>
<li>
<a href="#kyverno.io%2fv2alpha1"><b style="color: white">kyverno.io/v2alpha1</b></a>
</li>
<li>
@ -5431,6 +5434,250 @@ int
</tbody>
</table>
<hr />
<h2 id="kyverno.io/v2">kyverno.io/v2</h2>
<p>
</p>
Resource Types:
<ul><li>
<a href="#kyverno.io/v2.PolicyException">PolicyException</a>
</li></ul>
<hr />
<h3 id="kyverno.io/v2.PolicyException">PolicyException
</h3>
<p>
<p>PolicyException declares resources to be excluded from specified policies.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>apiVersion</code><br/>
string</td>
<td>
<code>
kyverno.io/v2
</code>
</td>
</tr>
<tr>
<td>
<code>kind</code><br/>
string
</td>
<td><code>PolicyException</code></td>
</tr>
<tr>
<td>
<code>metadata</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
Kubernetes meta/v1.ObjectMeta
</a>
</em>
</td>
<td>
Refer to the Kubernetes API documentation for the fields of the
<code>metadata</code> field.
</td>
</tr>
<tr>
<td>
<code>spec</code><br/>
<em>
<a href="#kyverno.io/v2.PolicyExceptionSpec">
PolicyExceptionSpec
</a>
</em>
</td>
<td>
<p>Spec declares policy exception behaviors.</p>
<br/>
<br/>
<table class="table table-striped">
<tr>
<td>
<code>background</code><br/>
<em>
bool
</em>
</td>
<td>
<p>Background controls if exceptions are applied to existing policies during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
</td>
</tr>
<tr>
<td>
<code>match</code><br/>
<em>
<a href="#kyverno.io/v2beta1.MatchResources">
MatchResources
</a>
</em>
</td>
<td>
<p>Match defines match clause used to check if a resource applies to the exception</p>
</td>
</tr>
<tr>
<td>
<code>conditions</code><br/>
<em>
<a href="#kyverno.io/v2beta1.AnyAllConditions">
AnyAllConditions
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Conditions are used to determine if a resource applies to the exception by evaluating a
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements.</p>
</td>
</tr>
<tr>
<td>
<code>exceptions</code><br/>
<em>
<a href="#kyverno.io/v2.Exception">
[]Exception
</a>
</em>
</td>
<td>
<p>Exceptions is a list policy/rules to be excluded</p>
</td>
</tr>
</table>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2.Exception">Exception
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec</a>)
</p>
<p>
<p>Exception stores infos about a policy and rules</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>policyName</code><br/>
<em>
string
</em>
</td>
<td>
<p>PolicyName identifies the policy to which the exception is applied.
The policy name uses the format <namespace>/<name> unless it
references a ClusterPolicy.</p>
</td>
</tr>
<tr>
<td>
<code>ruleNames</code><br/>
<em>
[]string
</em>
</td>
<td>
<p>RuleNames identifies the rules to which the exception is applied.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2.PolicyException">PolicyException</a>)
</p>
<p>
<p>PolicyExceptionSpec stores policy exception spec</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>background</code><br/>
<em>
bool
</em>
</td>
<td>
<p>Background controls if exceptions are applied to existing policies during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
</td>
</tr>
<tr>
<td>
<code>match</code><br/>
<em>
<a href="#kyverno.io/v2beta1.MatchResources">
MatchResources
</a>
</em>
</td>
<td>
<p>Match defines match clause used to check if a resource applies to the exception</p>
</td>
</tr>
<tr>
<td>
<code>conditions</code><br/>
<em>
<a href="#kyverno.io/v2beta1.AnyAllConditions">
AnyAllConditions
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Conditions are used to determine if a resource applies to the exception by evaluating a
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements.</p>
</td>
</tr>
<tr>
<td>
<code>exceptions</code><br/>
<em>
<a href="#kyverno.io/v2.Exception">
[]Exception
</a>
</em>
</td>
<td>
<p>Exceptions is a list policy/rules to be excluded</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h2 id="kyverno.io/v2alpha1">kyverno.io/v2alpha1</h2>
<p>
</p>
@ -6821,6 +7068,7 @@ set of conditions. The declaration can contain nested <code>any</code> or <code>
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec</a>,
<a href="#kyverno.io/v2beta1.CleanupPolicySpec">CleanupPolicySpec</a>,
<a href="#kyverno.io/v2beta1.Deny">Deny</a>,
<a href="#kyverno.io/v2beta1.PolicyExceptionSpec">PolicyExceptionSpec</a>,
@ -7329,6 +7577,7 @@ bool
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec</a>,
<a href="#kyverno.io/v2beta1.CleanupPolicySpec">CleanupPolicySpec</a>,
<a href="#kyverno.io/v2beta1.PolicyExceptionSpec">PolicyExceptionSpec</a>,
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)

View file

@ -0,0 +1,50 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v2
// ExceptionApplyConfiguration represents an declarative configuration of the Exception type for use
// with apply.
type ExceptionApplyConfiguration struct {
PolicyName *string `json:"policyName,omitempty"`
RuleNames []string `json:"ruleNames,omitempty"`
}
// ExceptionApplyConfiguration constructs an declarative configuration of the Exception type for use with
// apply.
func Exception() *ExceptionApplyConfiguration {
return &ExceptionApplyConfiguration{}
}
// WithPolicyName sets the PolicyName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PolicyName field is set to the value of the last call.
func (b *ExceptionApplyConfiguration) WithPolicyName(value string) *ExceptionApplyConfiguration {
b.PolicyName = &value
return b
}
// WithRuleNames adds the given value to the RuleNames field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the RuleNames field.
func (b *ExceptionApplyConfiguration) WithRuleNames(values ...string) *ExceptionApplyConfiguration {
for i := range values {
b.RuleNames = append(b.RuleNames, values[i])
}
return b
}

View file

@ -0,0 +1,210 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v2
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
v1 "k8s.io/client-go/applyconfigurations/meta/v1"
)
// PolicyExceptionApplyConfiguration represents an declarative configuration of the PolicyException type for use
// with apply.
type PolicyExceptionApplyConfiguration struct {
v1.TypeMetaApplyConfiguration `json:",omitempty,inline"`
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
Spec *PolicyExceptionSpecApplyConfiguration `json:"spec,omitempty"`
}
// PolicyException constructs an declarative configuration of the PolicyException type for use with
// apply.
func PolicyException(name, namespace string) *PolicyExceptionApplyConfiguration {
b := &PolicyExceptionApplyConfiguration{}
b.WithName(name)
b.WithNamespace(namespace)
b.WithKind("PolicyException")
b.WithAPIVersion("kyverno.io/v2")
return b
}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithKind(value string) *PolicyExceptionApplyConfiguration {
b.Kind = &value
return b
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithAPIVersion(value string) *PolicyExceptionApplyConfiguration {
b.APIVersion = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithName(value string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Name = &value
return b
}
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the GenerateName field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithGenerateName(value string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.GenerateName = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithNamespace(value string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Namespace = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithUID(value types.UID) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.UID = &value
return b
}
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ResourceVersion field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithResourceVersion(value string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.ResourceVersion = &value
return b
}
// WithGeneration sets the Generation field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Generation field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithGeneration(value int64) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.Generation = &value
return b
}
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.CreationTimestamp = &value
return b
}
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.DeletionTimestamp = &value
return b
}
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
b.DeletionGracePeriodSeconds = &value
return b
}
// WithLabels puts the entries into the Labels field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Labels field,
// overwriting an existing map entries in Labels field with the same key.
func (b *PolicyExceptionApplyConfiguration) WithLabels(entries map[string]string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.Labels == nil && len(entries) > 0 {
b.Labels = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Labels[k] = v
}
return b
}
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, the entries provided by each call will be put on the Annotations field,
// overwriting an existing map entries in Annotations field with the same key.
func (b *PolicyExceptionApplyConfiguration) WithAnnotations(entries map[string]string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
if b.Annotations == nil && len(entries) > 0 {
b.Annotations = make(map[string]string, len(entries))
}
for k, v := range entries {
b.Annotations[k] = v
}
return b
}
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
func (b *PolicyExceptionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
if values[i] == nil {
panic("nil value passed to WithOwnerReferences")
}
b.OwnerReferences = append(b.OwnerReferences, *values[i])
}
return b
}
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Finalizers field.
func (b *PolicyExceptionApplyConfiguration) WithFinalizers(values ...string) *PolicyExceptionApplyConfiguration {
b.ensureObjectMetaApplyConfigurationExists()
for i := range values {
b.Finalizers = append(b.Finalizers, values[i])
}
return b
}
func (b *PolicyExceptionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
if b.ObjectMetaApplyConfiguration == nil {
b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
}
}
// WithSpec sets the Spec field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Spec field is set to the value of the last call.
func (b *PolicyExceptionApplyConfiguration) WithSpec(value *PolicyExceptionSpecApplyConfiguration) *PolicyExceptionApplyConfiguration {
b.Spec = value
return b
}

View file

@ -0,0 +1,75 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v2
import (
v2beta1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2beta1"
)
// PolicyExceptionSpecApplyConfiguration represents an declarative configuration of the PolicyExceptionSpec type for use
// with apply.
type PolicyExceptionSpecApplyConfiguration struct {
Background *bool `json:"background,omitempty"`
Match *v2beta1.MatchResourcesApplyConfiguration `json:"match,omitempty"`
Conditions *v2beta1.AnyAllConditionsApplyConfiguration `json:"conditions,omitempty"`
Exceptions []ExceptionApplyConfiguration `json:"exceptions,omitempty"`
}
// PolicyExceptionSpecApplyConfiguration constructs an declarative configuration of the PolicyExceptionSpec type for use with
// apply.
func PolicyExceptionSpec() *PolicyExceptionSpecApplyConfiguration {
return &PolicyExceptionSpecApplyConfiguration{}
}
// WithBackground sets the Background field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Background field is set to the value of the last call.
func (b *PolicyExceptionSpecApplyConfiguration) WithBackground(value bool) *PolicyExceptionSpecApplyConfiguration {
b.Background = &value
return b
}
// WithMatch sets the Match field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Match field is set to the value of the last call.
func (b *PolicyExceptionSpecApplyConfiguration) WithMatch(value *v2beta1.MatchResourcesApplyConfiguration) *PolicyExceptionSpecApplyConfiguration {
b.Match = value
return b
}
// WithConditions sets the Conditions field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Conditions field is set to the value of the last call.
func (b *PolicyExceptionSpecApplyConfiguration) WithConditions(value *v2beta1.AnyAllConditionsApplyConfiguration) *PolicyExceptionSpecApplyConfiguration {
b.Conditions = value
return b
}
// WithExceptions adds the given value to the Exceptions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Exceptions field.
func (b *PolicyExceptionSpecApplyConfiguration) WithExceptions(values ...*ExceptionApplyConfiguration) *PolicyExceptionSpecApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithExceptions")
}
b.Exceptions = append(b.Exceptions, *values[i])
}
return b
}

View file

@ -22,12 +22,14 @@ import (
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
v1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
v1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1alpha2"
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1beta1"
kyvernov2 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2beta1"
applyconfigurationspolicyreportv1alpha2 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/policyreport/v1alpha2"
@ -168,6 +170,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
case v1beta1.SchemeGroupVersion.WithKind("UpdateRequestStatus"):
return &kyvernov1beta1.UpdateRequestStatusApplyConfiguration{}
// Group=kyverno.io, Version=v2
case v2.SchemeGroupVersion.WithKind("Exception"):
return &kyvernov2.ExceptionApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("PolicyException"):
return &kyvernov2.PolicyExceptionApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("PolicyExceptionSpec"):
return &kyvernov2.PolicyExceptionSpecApplyConfiguration{}
// Group=kyverno.io, Version=v2alpha1
case v2alpha1.SchemeGroupVersion.WithKind("CleanupPolicy"):
return &kyvernov2alpha1.CleanupPolicyApplyConfiguration{}

View file

@ -25,6 +25,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha2"
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1"
kyvernov2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2beta1"
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha2"
@ -38,6 +39,7 @@ type Interface interface {
KyvernoV1() kyvernov1.KyvernoV1Interface
KyvernoV1alpha2() kyvernov1alpha2.KyvernoV1alpha2Interface
KyvernoV1beta1() kyvernov1beta1.KyvernoV1beta1Interface
KyvernoV2() kyvernov2.KyvernoV2Interface
KyvernoV2beta1() kyvernov2beta1.KyvernoV2beta1Interface
KyvernoV2alpha1() kyvernov2alpha1.KyvernoV2alpha1Interface
Wgpolicyk8sV1alpha2() wgpolicyk8sv1alpha2.Wgpolicyk8sV1alpha2Interface
@ -49,6 +51,7 @@ type Clientset struct {
kyvernoV1 *kyvernov1.KyvernoV1Client
kyvernoV1alpha2 *kyvernov1alpha2.KyvernoV1alpha2Client
kyvernoV1beta1 *kyvernov1beta1.KyvernoV1beta1Client
kyvernoV2 *kyvernov2.KyvernoV2Client
kyvernoV2beta1 *kyvernov2beta1.KyvernoV2beta1Client
kyvernoV2alpha1 *kyvernov2alpha1.KyvernoV2alpha1Client
wgpolicyk8sV1alpha2 *wgpolicyk8sv1alpha2.Wgpolicyk8sV1alpha2Client
@ -69,6 +72,11 @@ func (c *Clientset) KyvernoV1beta1() kyvernov1beta1.KyvernoV1beta1Interface {
return c.kyvernoV1beta1
}
// KyvernoV2 retrieves the KyvernoV2Client
func (c *Clientset) KyvernoV2() kyvernov2.KyvernoV2Interface {
return c.kyvernoV2
}
// KyvernoV2beta1 retrieves the KyvernoV2beta1Client
func (c *Clientset) KyvernoV2beta1() kyvernov2beta1.KyvernoV2beta1Interface {
return c.kyvernoV2beta1
@ -140,6 +148,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
if err != nil {
return nil, err
}
cs.kyvernoV2, err = kyvernov2.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
}
cs.kyvernoV2beta1, err = kyvernov2beta1.NewForConfigAndClient(&configShallowCopy, httpClient)
if err != nil {
return nil, err
@ -176,6 +188,7 @@ func New(c rest.Interface) *Clientset {
cs.kyvernoV1 = kyvernov1.New(c)
cs.kyvernoV1alpha2 = kyvernov1alpha2.New(c)
cs.kyvernoV1beta1 = kyvernov1beta1.New(c)
cs.kyvernoV2 = kyvernov2.New(c)
cs.kyvernoV2beta1 = kyvernov2beta1.New(c)
cs.kyvernoV2alpha1 = kyvernov2alpha1.New(c)
cs.wgpolicyk8sV1alpha2 = wgpolicyk8sv1alpha2.New(c)

View file

@ -26,6 +26,8 @@ import (
fakekyvernov1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha2/fake"
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1"
fakekyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1/fake"
kyvernov2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
fakekyvernov2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2/fake"
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
fakekyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1/fake"
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2beta1"
@ -104,6 +106,11 @@ func (c *Clientset) KyvernoV1beta1() kyvernov1beta1.KyvernoV1beta1Interface {
return &fakekyvernov1beta1.FakeKyvernoV1beta1{Fake: &c.Fake}
}
// KyvernoV2 retrieves the KyvernoV2Client
func (c *Clientset) KyvernoV2() kyvernov2.KyvernoV2Interface {
return &fakekyvernov2.FakeKyvernoV2{Fake: &c.Fake}
}
// KyvernoV2beta1 retrieves the KyvernoV2beta1Client
func (c *Clientset) KyvernoV2beta1() kyvernov2beta1.KyvernoV2beta1Interface {
return &fakekyvernov2beta1.FakeKyvernoV2beta1{Fake: &c.Fake}

View file

@ -22,6 +22,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
@ -39,6 +40,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
kyvernov1.AddToScheme,
kyvernov1alpha2.AddToScheme,
kyvernov1beta1.AddToScheme,
kyvernov2.AddToScheme,
kyvernov2beta1.AddToScheme,
kyvernov2alpha1.AddToScheme,
wgpolicyk8sv1alpha2.AddToScheme,

View file

@ -22,6 +22,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
@ -39,6 +40,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
kyvernov1.AddToScheme,
kyvernov1alpha2.AddToScheme,
kyvernov1beta1.AddToScheme,
kyvernov2.AddToScheme,
kyvernov2beta1.AddToScheme,
kyvernov2alpha1.AddToScheme,
wgpolicyk8sv1alpha2.AddToScheme,

View file

@ -0,0 +1,20 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
// This package has the automatically generated typed clients.
package v2

View file

@ -0,0 +1,20 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
// Package fake has the automatically generated clients.
package fake

View file

@ -0,0 +1,40 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
rest "k8s.io/client-go/rest"
testing "k8s.io/client-go/testing"
)
type FakeKyvernoV2 struct {
*testing.Fake
}
func (c *FakeKyvernoV2) PolicyExceptions(namespace string) v2.PolicyExceptionInterface {
return &FakePolicyExceptions{c, namespace}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakeKyvernoV2) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}

View file

@ -0,0 +1,129 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
labels "k8s.io/apimachinery/pkg/labels"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
testing "k8s.io/client-go/testing"
)
// FakePolicyExceptions implements PolicyExceptionInterface
type FakePolicyExceptions struct {
Fake *FakeKyvernoV2
ns string
}
var policyexceptionsResource = v2.SchemeGroupVersion.WithResource("policyexceptions")
var policyexceptionsKind = v2.SchemeGroupVersion.WithKind("PolicyException")
// Get takes name of the policyException, and returns the corresponding policyException object, and an error if there is any.
func (c *FakePolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewGetAction(policyexceptionsResource, c.ns, name), &v2.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2.PolicyException), err
}
// List takes label and field selectors, and returns the list of PolicyExceptions that match those selectors.
func (c *FakePolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v2.PolicyExceptionList, err error) {
obj, err := c.Fake.
Invokes(testing.NewListAction(policyexceptionsResource, policyexceptionsKind, c.ns, opts), &v2.PolicyExceptionList{})
if obj == nil {
return nil, err
}
label, _, _ := testing.ExtractFromListOptions(opts)
if label == nil {
label = labels.Everything()
}
list := &v2.PolicyExceptionList{ListMeta: obj.(*v2.PolicyExceptionList).ListMeta}
for _, item := range obj.(*v2.PolicyExceptionList).Items {
if label.Matches(labels.Set(item.Labels)) {
list.Items = append(list.Items, item)
}
}
return list, err
}
// Watch returns a watch.Interface that watches the requested policyExceptions.
func (c *FakePolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
return c.Fake.
InvokesWatch(testing.NewWatchAction(policyexceptionsResource, c.ns, opts))
}
// Create takes the representation of a policyException and creates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *FakePolicyExceptions) Create(ctx context.Context, policyException *v2.PolicyException, opts v1.CreateOptions) (result *v2.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewCreateAction(policyexceptionsResource, c.ns, policyException), &v2.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2.PolicyException), err
}
// Update takes the representation of a policyException and updates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *FakePolicyExceptions) Update(ctx context.Context, policyException *v2.PolicyException, opts v1.UpdateOptions) (result *v2.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewUpdateAction(policyexceptionsResource, c.ns, policyException), &v2.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2.PolicyException), err
}
// Delete takes name of the policyException and deletes it. Returns an error if one occurs.
func (c *FakePolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
_, err := c.Fake.
Invokes(testing.NewDeleteActionWithOptions(policyexceptionsResource, c.ns, name, opts), &v2.PolicyException{})
return err
}
// DeleteCollection deletes a collection of objects.
func (c *FakePolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
action := testing.NewDeleteCollectionAction(policyexceptionsResource, c.ns, listOpts)
_, err := c.Fake.Invokes(action, &v2.PolicyExceptionList{})
return err
}
// Patch applies the patch and returns the patched policyException.
func (c *FakePolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.PolicyException, err error) {
obj, err := c.Fake.
Invokes(testing.NewPatchSubresourceAction(policyexceptionsResource, c.ns, name, pt, data, subresources...), &v2.PolicyException{})
if obj == nil {
return nil, err
}
return obj.(*v2.PolicyException), err
}

View file

@ -0,0 +1,21 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v2
type PolicyExceptionExpansion interface{}

View file

@ -0,0 +1,107 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v2
import (
"net/http"
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
rest "k8s.io/client-go/rest"
)
type KyvernoV2Interface interface {
RESTClient() rest.Interface
PolicyExceptionsGetter
}
// KyvernoV2Client is used to interact with features provided by the kyverno.io group.
type KyvernoV2Client struct {
restClient rest.Interface
}
func (c *KyvernoV2Client) PolicyExceptions(namespace string) PolicyExceptionInterface {
return newPolicyExceptions(c, namespace)
}
// NewForConfig creates a new KyvernoV2Client for the given config.
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
// where httpClient was generated with rest.HTTPClientFor(c).
func NewForConfig(c *rest.Config) (*KyvernoV2Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
httpClient, err := rest.HTTPClientFor(&config)
if err != nil {
return nil, err
}
return NewForConfigAndClient(&config, httpClient)
}
// NewForConfigAndClient creates a new KyvernoV2Client for the given config and http client.
// Note the http client provided takes precedence over the configured transport values.
func NewForConfigAndClient(c *rest.Config, h *http.Client) (*KyvernoV2Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
}
client, err := rest.RESTClientForConfigAndClient(&config, h)
if err != nil {
return nil, err
}
return &KyvernoV2Client{client}, nil
}
// NewForConfigOrDie creates a new KyvernoV2Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *KyvernoV2Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
}
return client
}
// New creates a new KyvernoV2Client for the given RESTClient.
func New(c rest.Interface) *KyvernoV2Client {
return &KyvernoV2Client{c}
}
func setConfigDefaults(config *rest.Config) error {
gv := v2.SchemeGroupVersion
config.GroupVersion = &gv
config.APIPath = "/apis"
config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
if config.UserAgent == "" {
config.UserAgent = rest.DefaultKubernetesUserAgent()
}
return nil
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *KyvernoV2Client) RESTClient() rest.Interface {
if c == nil {
return nil
}
return c.restClient
}

View file

@ -0,0 +1,178 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v2
import (
"context"
"time"
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
watch "k8s.io/apimachinery/pkg/watch"
rest "k8s.io/client-go/rest"
)
// PolicyExceptionsGetter has a method to return a PolicyExceptionInterface.
// A group's client should implement this interface.
type PolicyExceptionsGetter interface {
PolicyExceptions(namespace string) PolicyExceptionInterface
}
// PolicyExceptionInterface has methods to work with PolicyException resources.
type PolicyExceptionInterface interface {
Create(ctx context.Context, policyException *v2.PolicyException, opts v1.CreateOptions) (*v2.PolicyException, error)
Update(ctx context.Context, policyException *v2.PolicyException, opts v1.UpdateOptions) (*v2.PolicyException, error)
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.PolicyException, error)
List(ctx context.Context, opts v1.ListOptions) (*v2.PolicyExceptionList, error)
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.PolicyException, err error)
PolicyExceptionExpansion
}
// policyExceptions implements PolicyExceptionInterface
type policyExceptions struct {
client rest.Interface
ns string
}
// newPolicyExceptions returns a PolicyExceptions
func newPolicyExceptions(c *KyvernoV2Client, namespace string) *policyExceptions {
return &policyExceptions{
client: c.RESTClient(),
ns: namespace,
}
}
// Get takes name of the policyException, and returns the corresponding policyException object, and an error if there is any.
func (c *policyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.PolicyException, err error) {
result = &v2.PolicyException{}
err = c.client.Get().
Namespace(c.ns).
Resource("policyexceptions").
Name(name).
VersionedParams(&options, scheme.ParameterCodec).
Do(ctx).
Into(result)
return
}
// List takes label and field selectors, and returns the list of PolicyExceptions that match those selectors.
func (c *policyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v2.PolicyExceptionList, err error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
result = &v2.PolicyExceptionList{}
err = c.client.Get().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Do(ctx).
Into(result)
return
}
// Watch returns a watch.Interface that watches the requested policyExceptions.
func (c *policyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
var timeout time.Duration
if opts.TimeoutSeconds != nil {
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
}
opts.Watch = true
return c.client.Get().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Timeout(timeout).
Watch(ctx)
}
// Create takes the representation of a policyException and creates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *policyExceptions) Create(ctx context.Context, policyException *v2.PolicyException, opts v1.CreateOptions) (result *v2.PolicyException, err error) {
result = &v2.PolicyException{}
err = c.client.Post().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&opts, scheme.ParameterCodec).
Body(policyException).
Do(ctx).
Into(result)
return
}
// Update takes the representation of a policyException and updates it. Returns the server's representation of the policyException, and an error, if there is any.
func (c *policyExceptions) Update(ctx context.Context, policyException *v2.PolicyException, opts v1.UpdateOptions) (result *v2.PolicyException, err error) {
result = &v2.PolicyException{}
err = c.client.Put().
Namespace(c.ns).
Resource("policyexceptions").
Name(policyException.Name).
VersionedParams(&opts, scheme.ParameterCodec).
Body(policyException).
Do(ctx).
Into(result)
return
}
// Delete takes name of the policyException and deletes it. Returns an error if one occurs.
func (c *policyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
return c.client.Delete().
Namespace(c.ns).
Resource("policyexceptions").
Name(name).
Body(&opts).
Do(ctx).
Error()
}
// DeleteCollection deletes a collection of objects.
func (c *policyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
var timeout time.Duration
if listOpts.TimeoutSeconds != nil {
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
}
return c.client.Delete().
Namespace(c.ns).
Resource("policyexceptions").
VersionedParams(&listOpts, scheme.ParameterCodec).
Timeout(timeout).
Body(&opts).
Do(ctx).
Error()
}
// Patch applies the patch and returns the patched policyException.
func (c *policyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.PolicyException, err error) {
result = &v2.PolicyException{}
err = c.client.Patch(pt).
Namespace(c.ns).
Resource("policyexceptions").
Name(name).
SubResource(subresources...).
VersionedParams(&opts, scheme.ParameterCodec).
Body(data).
Do(ctx).
Into(result)
return
}

View file

@ -24,6 +24,7 @@ import (
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
v1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
v1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
@ -77,6 +78,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
case v1beta1.SchemeGroupVersion.WithResource("updaterequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V1beta1().UpdateRequests().Informer()}, nil
// Group=kyverno.io, Version=v2
case v2.SchemeGroupVersion.WithResource("policyexceptions"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().PolicyExceptions().Informer()}, nil
// Group=kyverno.io, Version=v2alpha1
case v2alpha1.SchemeGroupVersion.WithResource("cleanuppolicies"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().CleanupPolicies().Informer()}, nil

View file

@ -23,6 +23,7 @@ import (
v1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
v1alpha2 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1alpha2"
v1beta1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1beta1"
v2 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
v2alpha1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
v2beta1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
)
@ -35,6 +36,8 @@ type Interface interface {
V1alpha2() v1alpha2.Interface
// V1beta1 provides access to shared informers for resources in V1beta1.
V1beta1() v1beta1.Interface
// V2 provides access to shared informers for resources in V2.
V2() v2.Interface
// V2beta1 provides access to shared informers for resources in V2beta1.
V2beta1() v2beta1.Interface
// V2alpha1 provides access to shared informers for resources in V2alpha1.
@ -67,6 +70,11 @@ func (g *group) V1beta1() v1beta1.Interface {
return v1beta1.New(g.factory, g.namespace, g.tweakListOptions)
}
// V2 returns a new v2.Interface.
func (g *group) V2() v2.Interface {
return v2.New(g.factory, g.namespace, g.tweakListOptions)
}
// V2beta1 returns a new v2beta1.Interface.
func (g *group) V2beta1() v2beta1.Interface {
return v2beta1.New(g.factory, g.namespace, g.tweakListOptions)

View file

@ -0,0 +1,45 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v2
import (
internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
)
// Interface provides access to all the informers in this group version.
type Interface interface {
// PolicyExceptions returns a PolicyExceptionInformer.
PolicyExceptions() PolicyExceptionInformer
}
type version struct {
factory internalinterfaces.SharedInformerFactory
namespace string
tweakListOptions internalinterfaces.TweakListOptionsFunc
}
// New returns a new Interface.
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
}
// PolicyExceptions returns a PolicyExceptionInformer.
func (v *version) PolicyExceptions() PolicyExceptionInformer {
return &policyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}

View file

@ -0,0 +1,90 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by informer-gen. DO NOT EDIT.
package v2
import (
"context"
time "time"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
watch "k8s.io/apimachinery/pkg/watch"
cache "k8s.io/client-go/tools/cache"
)
// PolicyExceptionInformer provides access to a shared informer and lister for
// PolicyExceptions.
type PolicyExceptionInformer interface {
Informer() cache.SharedIndexInformer
Lister() v2.PolicyExceptionLister
}
type policyExceptionInformer struct {
factory internalinterfaces.SharedInformerFactory
tweakListOptions internalinterfaces.TweakListOptionsFunc
namespace string
}
// NewPolicyExceptionInformer constructs a new informer for PolicyException type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
return NewFilteredPolicyExceptionInformer(client, namespace, resyncPeriod, indexers, nil)
}
// NewFilteredPolicyExceptionInformer constructs a new informer for PolicyException type.
// Always prefer using an informer factory to get a shared informer instead of getting an independent
// one. This reduces memory footprint and number of connections to the server.
func NewFilteredPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
return cache.NewSharedIndexInformer(
&cache.ListWatch{
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.KyvernoV2().PolicyExceptions(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.KyvernoV2().PolicyExceptions(namespace).Watch(context.TODO(), options)
},
},
&kyvernov2.PolicyException{},
resyncPeriod,
indexers,
)
}
func (f *policyExceptionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
return NewFilteredPolicyExceptionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
}
func (f *policyExceptionInformer) Informer() cache.SharedIndexInformer {
return f.factory.InformerFor(&kyvernov2.PolicyException{}, f.defaultInformer)
}
func (f *policyExceptionInformer) Lister() v2.PolicyExceptionLister {
return v2.NewPolicyExceptionLister(f.Informer().GetIndexer())
}

View file

@ -0,0 +1,27 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v2
// PolicyExceptionListerExpansion allows custom methods to be added to
// PolicyExceptionLister.
type PolicyExceptionListerExpansion interface{}
// PolicyExceptionNamespaceListerExpansion allows custom methods to be added to
// PolicyExceptionNamespaceLister.
type PolicyExceptionNamespaceListerExpansion interface{}

View file

@ -0,0 +1,99 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by lister-gen. DO NOT EDIT.
package v2
import (
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
// PolicyExceptionLister helps list PolicyExceptions.
// All objects returned here must be treated as read-only.
type PolicyExceptionLister interface {
// List lists all PolicyExceptions in the indexer.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v2.PolicyException, err error)
// PolicyExceptions returns an object that can list and get PolicyExceptions.
PolicyExceptions(namespace string) PolicyExceptionNamespaceLister
PolicyExceptionListerExpansion
}
// policyExceptionLister implements the PolicyExceptionLister interface.
type policyExceptionLister struct {
indexer cache.Indexer
}
// NewPolicyExceptionLister returns a new PolicyExceptionLister.
func NewPolicyExceptionLister(indexer cache.Indexer) PolicyExceptionLister {
return &policyExceptionLister{indexer: indexer}
}
// List lists all PolicyExceptions in the indexer.
func (s *policyExceptionLister) List(selector labels.Selector) (ret []*v2.PolicyException, err error) {
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
ret = append(ret, m.(*v2.PolicyException))
})
return ret, err
}
// PolicyExceptions returns an object that can list and get PolicyExceptions.
func (s *policyExceptionLister) PolicyExceptions(namespace string) PolicyExceptionNamespaceLister {
return policyExceptionNamespaceLister{indexer: s.indexer, namespace: namespace}
}
// PolicyExceptionNamespaceLister helps list and get PolicyExceptions.
// All objects returned here must be treated as read-only.
type PolicyExceptionNamespaceLister interface {
// List lists all PolicyExceptions in the indexer for a given namespace.
// Objects returned here must be treated as read-only.
List(selector labels.Selector) (ret []*v2.PolicyException, err error)
// Get retrieves the PolicyException from the indexer for a given namespace and name.
// Objects returned here must be treated as read-only.
Get(name string) (*v2.PolicyException, error)
PolicyExceptionNamespaceListerExpansion
}
// policyExceptionNamespaceLister implements the PolicyExceptionNamespaceLister
// interface.
type policyExceptionNamespaceLister struct {
indexer cache.Indexer
namespace string
}
// List lists all PolicyExceptions in the indexer for a given namespace.
func (s policyExceptionNamespaceLister) List(selector labels.Selector) (ret []*v2.PolicyException, err error) {
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
ret = append(ret, m.(*v2.PolicyException))
})
return ret, err
}
// Get retrieves the PolicyException from the indexer for a given namespace and name.
func (s policyExceptionNamespaceLister) Get(name string) (*v2.PolicyException, error) {
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
if err != nil {
return nil, err
}
if !exists {
return nil, errors.NewNotFound(v2.Resource("policyexception"), name)
}
return obj.(*v2.PolicyException), nil
}

View file

@ -6,6 +6,7 @@ import (
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha2"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2beta1"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policyreport_v1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha2"
@ -13,6 +14,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov1"
kyvernov1alpha2 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov1alpha2"
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov1beta1"
kyvernov2 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2"
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2alpha1"
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2beta1"
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/pkg/clients/kyverno/wgpolicyk8sv1alpha2"
@ -25,6 +27,7 @@ type clientset struct {
kyvernov1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1.KyvernoV1Interface
kyvernov1alpha2 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1alpha2.KyvernoV1alpha2Interface
kyvernov1beta1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1beta1.KyvernoV1beta1Interface
kyvernov2 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
kyvernov2alpha1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.KyvernoV2alpha1Interface
kyvernov2beta1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2beta1.KyvernoV2beta1Interface
wgpolicyk8sv1alpha2 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policyreport_v1alpha2.Wgpolicyk8sV1alpha2Interface
@ -42,6 +45,9 @@ func (c *clientset) KyvernoV1alpha2() github_com_kyverno_kyverno_pkg_client_clie
func (c *clientset) KyvernoV1beta1() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1beta1.KyvernoV1beta1Interface {
return c.kyvernov1beta1
}
func (c *clientset) KyvernoV2() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
return c.kyvernov2
}
func (c *clientset) KyvernoV2alpha1() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.KyvernoV2alpha1Interface {
return c.kyvernov2alpha1
}
@ -58,6 +64,7 @@ func WrapWithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versi
kyvernov1: kyvernov1.WithMetrics(inner.KyvernoV1(), m, clientType),
kyvernov1alpha2: kyvernov1alpha2.WithMetrics(inner.KyvernoV1alpha2(), m, clientType),
kyvernov1beta1: kyvernov1beta1.WithMetrics(inner.KyvernoV1beta1(), m, clientType),
kyvernov2: kyvernov2.WithMetrics(inner.KyvernoV2(), m, clientType),
kyvernov2alpha1: kyvernov2alpha1.WithMetrics(inner.KyvernoV2alpha1(), m, clientType),
kyvernov2beta1: kyvernov2beta1.WithMetrics(inner.KyvernoV2beta1(), m, clientType),
wgpolicyk8sv1alpha2: wgpolicyk8sv1alpha2.WithMetrics(inner.Wgpolicyk8sV1alpha2(), m, clientType),
@ -70,6 +77,7 @@ func WrapWithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versi
kyvernov1: kyvernov1.WithTracing(inner.KyvernoV1(), "KyvernoV1"),
kyvernov1alpha2: kyvernov1alpha2.WithTracing(inner.KyvernoV1alpha2(), "KyvernoV1alpha2"),
kyvernov1beta1: kyvernov1beta1.WithTracing(inner.KyvernoV1beta1(), "KyvernoV1beta1"),
kyvernov2: kyvernov2.WithTracing(inner.KyvernoV2(), "KyvernoV2"),
kyvernov2alpha1: kyvernov2alpha1.WithTracing(inner.KyvernoV2alpha1(), "KyvernoV2alpha1"),
kyvernov2beta1: kyvernov2beta1.WithTracing(inner.KyvernoV2beta1(), "KyvernoV2beta1"),
wgpolicyk8sv1alpha2: wgpolicyk8sv1alpha2.WithTracing(inner.Wgpolicyk8sV1alpha2(), "Wgpolicyk8sV1alpha2"),
@ -82,6 +90,7 @@ func WrapWithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versi
kyvernov1: kyvernov1.WithLogging(inner.KyvernoV1(), logger.WithValues("group", "KyvernoV1")),
kyvernov1alpha2: kyvernov1alpha2.WithLogging(inner.KyvernoV1alpha2(), logger.WithValues("group", "KyvernoV1alpha2")),
kyvernov1beta1: kyvernov1beta1.WithLogging(inner.KyvernoV1beta1(), logger.WithValues("group", "KyvernoV1beta1")),
kyvernov2: kyvernov2.WithLogging(inner.KyvernoV2(), logger.WithValues("group", "KyvernoV2")),
kyvernov2alpha1: kyvernov2alpha1.WithLogging(inner.KyvernoV2alpha1(), logger.WithValues("group", "KyvernoV2alpha1")),
kyvernov2beta1: kyvernov2beta1.WithLogging(inner.KyvernoV2beta1(), logger.WithValues("group", "KyvernoV2beta1")),
wgpolicyk8sv1alpha2: wgpolicyk8sv1alpha2.WithLogging(inner.Wgpolicyk8sV1alpha2(), logger.WithValues("group", "Wgpolicyk8sV1alpha2")),

View file

@ -0,0 +1,59 @@
package client
import (
"github.com/go-logr/logr"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
policyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/policyexceptions"
"github.com/kyverno/kyverno/pkg/metrics"
"k8s.io/client-go/rest"
)
func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface, metrics metrics.MetricsConfigManager, clientType metrics.ClientType) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
return &withMetrics{inner, metrics, clientType}
}
func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface, client string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
return &withTracing{inner, client}
}
func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
return &withLogging{inner, logger}
}
type withMetrics struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
metrics metrics.MetricsConfigManager
clientType metrics.ClientType
}
func (c *withMetrics) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
func (c *withMetrics) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "PolicyException", c.clientType)
return policyexceptions.WithMetrics(c.inner.PolicyExceptions(namespace), recorder)
}
type withTracing struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
client string
}
func (c *withTracing) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
func (c *withTracing) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return policyexceptions.WithTracing(c.inner.PolicyExceptions(namespace), c.client, "PolicyException")
}
type withLogging struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
logger logr.Logger
}
func (c *withLogging) RESTClient() rest.Interface {
return c.inner.RESTClient()
}
func (c *withLogging) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return policyexceptions.WithLogging(c.inner.PolicyExceptions(namespace), c.logger.WithValues("resource", "PolicyExceptions").WithValues("namespace", namespace))
}

View file

@ -0,0 +1,337 @@
package resource
import (
context "context"
"fmt"
"time"
"github.com/go-logr/logr"
github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2"
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/tracing"
"go.opentelemetry.io/otel/trace"
"go.uber.org/multierr"
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
)
func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return &withLogging{inner, logger}
}
func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return &withMetrics{inner, recorder}
}
func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return &withTracing{inner, client, kind}
}
type withLogging struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface
logger logr.Logger
}
func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Create")
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Create failed", "duration", time.Since(start))
} else {
logger.Info("Create done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
start := time.Now()
logger := c.logger.WithValues("operation", "Delete")
ret0 := c.inner.Delete(arg0, arg1, arg2)
if err := multierr.Combine(ret0); err != nil {
logger.Error(err, "Delete failed", "duration", time.Since(start))
} else {
logger.Info("Delete done", "duration", time.Since(start))
}
return ret0
}
func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
start := time.Now()
logger := c.logger.WithValues("operation", "DeleteCollection")
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
if err := multierr.Combine(ret0); err != nil {
logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
} else {
logger.Info("DeleteCollection done", "duration", time.Since(start))
}
return ret0
}
func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Get")
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Get failed", "duration", time.Since(start))
} else {
logger.Info("Get done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyExceptionList, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "List")
ret0, ret1 := c.inner.List(arg0, arg1)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "List failed", "duration", time.Since(start))
} else {
logger.Info("List done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Patch")
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Patch failed", "duration", time.Since(start))
} else {
logger.Info("Patch done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Update")
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Update failed", "duration", time.Since(start))
} else {
logger.Info("Update done", "duration", time.Since(start))
}
return ret0, ret1
}
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
start := time.Now()
logger := c.logger.WithValues("operation", "Watch")
ret0, ret1 := c.inner.Watch(arg0, arg1)
if err := multierr.Combine(ret1); err != nil {
logger.Error(err, "Watch failed", "duration", time.Since(start))
} else {
logger.Info("Watch done", "duration", time.Since(start))
}
return ret0, ret1
}
type withMetrics struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface
recorder metrics.Recorder
}
func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "create")
return c.inner.Create(arg0, arg1, arg2)
}
func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
defer c.recorder.RecordWithContext(arg0, "delete")
return c.inner.Delete(arg0, arg1, arg2)
}
func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
defer c.recorder.RecordWithContext(arg0, "delete_collection")
return c.inner.DeleteCollection(arg0, arg1, arg2)
}
func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "get")
return c.inner.Get(arg0, arg1, arg2)
}
func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyExceptionList, error) {
defer c.recorder.RecordWithContext(arg0, "list")
return c.inner.List(arg0, arg1)
}
func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "patch")
return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
}
func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
defer c.recorder.RecordWithContext(arg0, "update")
return c.inner.Update(arg0, arg1, arg2)
}
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
defer c.recorder.RecordWithContext(arg0, "watch")
return c.inner.Watch(arg0, arg1)
}
type withTracing struct {
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface
client string
kind string
}
func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Create"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Delete"),
),
)
defer span.End()
}
ret0 := c.inner.Delete(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret0)
}
return ret0
}
func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("DeleteCollection"),
),
)
defer span.End()
}
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret0)
}
return ret0
}
func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Get"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyExceptionList, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("List"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.List(arg0, arg1)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Patch"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Update"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
var span trace.Span
if tracing.IsInSpan(arg0) {
arg0, span = tracing.StartChildSpan(
arg0,
"",
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
trace.WithAttributes(
tracing.KubeClientGroupKey.String(c.client),
tracing.KubeClientKindKey.String(c.kind),
tracing.KubeClientOperationKey.String("Watch"),
),
)
defer span.End()
}
ret0, ret1 := c.inner.Watch(arg0, arg1)
if span != nil {
tracing.SetSpanStatus(span, ret1)
}
return ret0, ret1
}

View file

@ -3,7 +3,7 @@ package api
import (
"fmt"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -43,7 +43,7 @@ type RuleResponse struct {
// podSecurityChecks contains pod security checks (only if this is a pod security rule)
podSecurityChecks *PodSecurityChecks
// exception is the exception applied (if any)
exception *kyvernov2beta1.PolicyException
exception *kyvernov2.PolicyException
}
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse {
@ -78,7 +78,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse {
return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
}
func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse {
func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse {
r.exception = exception
return &r
}
@ -109,7 +109,7 @@ func (r *RuleResponse) Stats() ExecutionStats {
return r.stats
}
func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException {
func (r *RuleResponse) Exception() *kyvernov2.PolicyException {
return r.exception
}

View file

@ -1,7 +1,7 @@
package api
import (
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
"k8s.io/apimachinery/pkg/labels"
)
@ -14,4 +14,4 @@ type NamespacedResourceSelector[T any] interface {
}
// PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException]
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2.PolicyException]

View file

@ -4,7 +4,7 @@ import (
"fmt"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
)
@ -13,8 +13,8 @@ import (
func (e *engine) GetPolicyExceptions(
policy kyvernov1.PolicyInterface,
rule string,
) ([]kyvernov2beta1.PolicyException, error) {
var exceptions []kyvernov2beta1.PolicyException
) ([]kyvernov2.PolicyException, error) {
var exceptions []kyvernov2.PolicyException
if e.exceptionSelector == nil {
return exceptions, nil
}

View file

@ -5,7 +5,7 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -18,7 +18,7 @@ type Handler interface {
unstructured.Unstructured,
kyvernov1.Rule,
engineapi.EngineContextLoader,
[]kyvernov2beta1.PolicyException,
[]kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse)
}

View file

@ -5,7 +5,7 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/internal"
@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -6,7 +6,7 @@ import (
json_patch "github.com/evanphx/json-patch/v5"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
"github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
@ -69,7 +69,7 @@ func (h mutateImageHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -5,7 +5,7 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/mutate"
@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -6,7 +6,7 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/internal"
@ -43,7 +43,7 @@ func (h validateCELHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
_ engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
if engineutils.IsDeleteRequest(policyContext) {
logger.V(3).Info("skipping CEL validation on deleted resource")

View file

@ -6,7 +6,7 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
"github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
@ -44,7 +44,7 @@ func (h validateImageHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
_ engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -15,7 +15,7 @@ import (
"github.com/ghodss/yaml"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
"github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
@ -57,7 +57,7 @@ func (h validateManifestHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
_ engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -7,7 +7,7 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
@ -33,7 +33,7 @@ func (h validatePssHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
_ engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -9,7 +9,7 @@ import (
"github.com/go-logr/logr"
gojmespath "github.com/kyverno/go-jmespath"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/internal"
@ -38,7 +38,7 @@ func (h validateResourceHandler) Process(
resource unstructured.Unstructured,
rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2beta1.PolicyException,
exceptions []kyvernov2.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger)

View file

@ -2,7 +2,7 @@ package utils
import (
"github.com/go-logr/logr"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/utils/conditions"
matched "github.com/kyverno/kyverno/pkg/utils/match"
@ -11,10 +11,10 @@ import (
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
// It returns the matched policy exception.
func MatchesException(
polexs []kyvernov2beta1.PolicyException,
polexs []kyvernov2.PolicyException,
policyContext engineapi.PolicyContext,
logger logr.Logger,
) *kyvernov2beta1.PolicyException {
) *kyvernov2.PolicyException {
gvk, subresource := policyContext.ResourceKind()
resource := policyContext.NewResource()
if resource.Object == nil {

View file

@ -3,20 +3,20 @@ package admission
import (
"encoding/json"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
admissionv1 "k8s.io/api/admission/v1"
)
func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) {
var exception *kyvernov2beta1.PolicyException
func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) {
var exception *kyvernov2.PolicyException
if err := json.Unmarshal(raw, &exception); err != nil {
return nil, err
}
return exception, nil
}
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) {
var empty *kyvernov2beta1.PolicyException
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) {
var empty *kyvernov2.PolicyException
exception, err := UnmarshalPolicyException(request.Object.Raw)
if err != nil {
return exception, empty, err

View file

@ -4,7 +4,7 @@ import (
"context"
"github.com/go-logr/logr"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
)
const (
@ -18,7 +18,7 @@ type ValidationOptions struct {
}
// Validate checks policy exception is valid
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) {
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) {
var warnings []string
if !opts.Enabled {
warnings = append(warnings, disabledPolex)

View file

@ -26,7 +26,7 @@ func Test_Validate(t *testing.T) {
Enabled: false,
Namespace: "kyverno",
},
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
},
want: 1,
},
@ -37,7 +37,7 @@ func Test_Validate(t *testing.T) {
Enabled: true,
Namespace: "kyverno",
},
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
},
want: 1,
},
@ -48,7 +48,7 @@ func Test_Validate(t *testing.T) {
Enabled: true,
Namespace: "kyverno",
},
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
},
want: 0,
},
@ -59,7 +59,7 @@ func Test_Validate(t *testing.T) {
Enabled: true,
Namespace: "",
},
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
},
want: 0,
},

View file

@ -39,7 +39,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
dclient := dclient.NewEmptyFakeClient()
configuration := config.NewDefaultConfiguration(false)
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister()
peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister()
jp := jmespath.New(configuration)
rclient := registryclient.NewOrDie()

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: mynewpolex

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: delta-exception

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: polex-right

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: polex-wrong

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: container-exception

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: policy-exception-allow-latest

View file

@ -1,6 +1,6 @@
apiVersion: v1
involvedObject:
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
name: policy-exception-allow-latest
namespace: policy-exception-events-creation-polex-ns

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: mynewpolex

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: mynewpolex

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: label-exception

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: mynewpolex

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: mynewpolex

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: allow-scaling-nginx-test

View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2beta1
apiVersion: kyverno.io/v2
kind: PolicyException
metadata:
name: allow-scaling-nginx-test