mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
feat: promote policy exceptions to v2 (#9208)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
c395fcd9e2
commit
8e0a7aa204
73 changed files with 4664 additions and 79 deletions
2
Makefile
2
Makefile
|
@ -396,7 +396,7 @@ image-build-all: $(BUILD_WITH)-build-all
|
|||
GOPATH_SHIM := ${PWD}/.gopath
|
||||
PACKAGE_SHIM := $(GOPATH_SHIM)/src/$(PACKAGE)
|
||||
OUT_PACKAGE := $(PACKAGE)/pkg/client
|
||||
INPUT_DIRS := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v2beta1,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/policyreport/v1alpha2
|
||||
INPUT_DIRS := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v2,$(PACKAGE)/api/kyverno/v2beta1,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/policyreport/v1alpha2
|
||||
CLIENTSET_PACKAGE := $(OUT_PACKAGE)/clientset
|
||||
LISTERS_PACKAGE := $(OUT_PACKAGE)/listers
|
||||
INFORMERS_PACKAGE := $(OUT_PACKAGE)/informers
|
||||
|
|
20
api/kyverno/v2/doc.go
Normal file
20
api/kyverno/v2/doc.go
Normal file
|
@ -0,0 +1,20 @@
|
|||
/*
|
||||
Copyright 2020 The Kubernetes authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// +k8s:deepcopy-gen=package
|
||||
// +kubebuilder:object:generate=true
|
||||
// +groupName=kyverno.io
|
||||
package v2
|
141
api/kyverno/v2/policy_exception_types.go
Normal file
141
api/kyverno/v2/policy_exception_types.go
Normal file
|
@ -0,0 +1,141 @@
|
|||
/*
|
||||
Copyright 2022 The Kubernetes authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
package v2
|
||||
|
||||
import (
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
"github.com/kyverno/kyverno/ext/wildcard"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
)
|
||||
|
||||
// +genclient
|
||||
// +kubebuilder:object:root=true
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:shortName=polex,categories=kyverno
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// PolicyException declares resources to be excluded from specified policies.
|
||||
type PolicyException struct {
|
||||
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
|
||||
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
|
||||
|
||||
// Spec declares policy exception behaviors.
|
||||
Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (p *PolicyException) Validate() (errs field.ErrorList) {
|
||||
errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
|
||||
return errs
|
||||
}
|
||||
|
||||
// Contains returns true if it contains an exception for the given policy/rule pair
|
||||
func (p *PolicyException) Contains(policy string, rule string) bool {
|
||||
return p.Spec.Contains(policy, rule)
|
||||
}
|
||||
|
||||
// PolicyExceptionSpec stores policy exception spec
|
||||
type PolicyExceptionSpec struct {
|
||||
// Background controls if exceptions are applied to existing policies during a background scan.
|
||||
// Optional. Default value is "true". The value must be set to "false" if the policy rule
|
||||
// uses variables that are only available in the admission review request (e.g. user name).
|
||||
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
|
||||
|
||||
// Match defines match clause used to check if a resource applies to the exception
|
||||
Match kyvernov2beta1.MatchResources `json:"match" yaml:"match"`
|
||||
|
||||
// Conditions are used to determine if a resource applies to the exception by evaluating a
|
||||
// set of conditions. The declaration can contain nested `any` or `all` statements.
|
||||
// +optional
|
||||
Conditions *kyvernov2beta1.AnyAllConditions `json:"conditions,omitempty"`
|
||||
|
||||
// Exceptions is a list policy/rules to be excluded
|
||||
Exceptions []Exception `json:"exceptions" yaml:"exceptions"`
|
||||
}
|
||||
|
||||
func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool {
|
||||
if p.Background == nil {
|
||||
return true
|
||||
}
|
||||
return *p.Background
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
|
||||
if p.BackgroundProcessingEnabled() {
|
||||
if userErrs := p.Match.ValidateNoUserInfo(path.Child("match")); len(userErrs) > 0 {
|
||||
errs = append(errs, userErrs...)
|
||||
}
|
||||
}
|
||||
errs = append(errs, p.Match.Validate(path.Child("match"), false, nil)...)
|
||||
exceptionsPath := path.Child("exceptions")
|
||||
for i, e := range p.Exceptions {
|
||||
errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
// Contains returns true if it contains an exception for the given policy/rule pair
|
||||
func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool {
|
||||
for _, exception := range p.Exceptions {
|
||||
if exception.Contains(policy, rule) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// Exception stores infos about a policy and rules
|
||||
type Exception struct {
|
||||
// PolicyName identifies the policy to which the exception is applied.
|
||||
// The policy name uses the format <namespace>/<name> unless it
|
||||
// references a ClusterPolicy.
|
||||
PolicyName string `json:"policyName" yaml:"policyName"`
|
||||
|
||||
// RuleNames identifies the rules to which the exception is applied.
|
||||
RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (p *Exception) Validate(path *field.Path) (errs field.ErrorList) {
|
||||
if p.PolicyName == "" {
|
||||
errs = append(errs, field.Required(path.Child("policyName"), "An exception requires a policy name"))
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
// Contains returns true if it contains an exception for the given policy/rule pair
|
||||
func (p *Exception) Contains(policy string, rule string) bool {
|
||||
if p.PolicyName == policy {
|
||||
for _, ruleName := range p.RuleNames {
|
||||
if wildcard.Match(ruleName, rule) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// +kubebuilder:object:root=true
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// PolicyExceptionList is a list of Policy Exceptions
|
||||
type PolicyExceptionList struct {
|
||||
metav1.TypeMeta `json:",inline" yaml:",inline"`
|
||||
metav1.ListMeta `json:"metadata" yaml:"metadata"`
|
||||
Items []PolicyException `json:"items" yaml:"items"`
|
||||
}
|
142
api/kyverno/v2/zz_generated.deepcopy.go
Normal file
142
api/kyverno/v2/zz_generated.deepcopy.go
Normal file
|
@ -0,0 +1,142 @@
|
|||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by deepcopy-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *Exception) DeepCopyInto(out *Exception) {
|
||||
*out = *in
|
||||
if in.RuleNames != nil {
|
||||
in, out := &in.RuleNames, &out.RuleNames
|
||||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
|
||||
func (in *Exception) DeepCopy() *Exception {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(Exception)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PolicyException) DeepCopyInto(out *PolicyException) {
|
||||
*out = *in
|
||||
out.TypeMeta = in.TypeMeta
|
||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||
in.Spec.DeepCopyInto(&out.Spec)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
|
||||
func (in *PolicyException) DeepCopy() *PolicyException {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PolicyException)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||
func (in *PolicyException) DeepCopyObject() runtime.Object {
|
||||
if c := in.DeepCopy(); c != nil {
|
||||
return c
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList) {
|
||||
*out = *in
|
||||
out.TypeMeta = in.TypeMeta
|
||||
in.ListMeta.DeepCopyInto(&out.ListMeta)
|
||||
if in.Items != nil {
|
||||
in, out := &in.Items, &out.Items
|
||||
*out = make([]PolicyException, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
|
||||
func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PolicyExceptionList)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
|
||||
func (in *PolicyExceptionList) DeepCopyObject() runtime.Object {
|
||||
if c := in.DeepCopy(); c != nil {
|
||||
return c
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec) {
|
||||
*out = *in
|
||||
if in.Background != nil {
|
||||
in, out := &in.Background, &out.Background
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
in.Match.DeepCopyInto(&out.Match)
|
||||
if in.Conditions != nil {
|
||||
in, out := &in.Conditions, &out.Conditions
|
||||
*out = new(v2beta1.AnyAllConditions)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Exceptions != nil {
|
||||
in, out := &in.Exceptions, &out.Exceptions
|
||||
*out = make([]Exception, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
|
||||
func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PolicyExceptionSpec)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
33
api/kyverno/v2/zz_generated.defaults.go
Normal file
33
api/kyverno/v2/zz_generated.defaults.go
Normal file
|
@ -0,0 +1,33 @@
|
|||
//go:build !ignore_autogenerated
|
||||
// +build !ignore_autogenerated
|
||||
|
||||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by defaulter-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
// RegisterDefaults adds defaulters functions to the given scheme.
|
||||
// Public to allow building arbitrary schemes.
|
||||
// All generated defaulters are covering - they call all nested defaulters.
|
||||
func RegisterDefaults(scheme *runtime.Scheme) error {
|
||||
return nil
|
||||
}
|
67
api/kyverno/v2/zz_generated.register.go
Normal file
67
api/kyverno/v2/zz_generated.register.go
Normal file
|
@ -0,0 +1,67 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by register-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
// GroupName specifies the group name used to register the objects.
|
||||
const GroupName = "kyverno.io"
|
||||
|
||||
// GroupVersion specifies the group and the version used to register the objects.
|
||||
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2"}
|
||||
|
||||
// SchemeGroupVersion is group version used to register these objects
|
||||
// Deprecated: use GroupVersion instead.
|
||||
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2"}
|
||||
|
||||
// Resource takes an unqualified resource and returns a Group qualified GroupResource
|
||||
func Resource(resource string) schema.GroupResource {
|
||||
return SchemeGroupVersion.WithResource(resource).GroupResource()
|
||||
}
|
||||
|
||||
var (
|
||||
// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
|
||||
SchemeBuilder runtime.SchemeBuilder
|
||||
localSchemeBuilder = &SchemeBuilder
|
||||
// Depreciated: use Install instead
|
||||
AddToScheme = localSchemeBuilder.AddToScheme
|
||||
Install = localSchemeBuilder.AddToScheme
|
||||
)
|
||||
|
||||
func init() {
|
||||
// We only register manually written functions here. The registration of the
|
||||
// generated functions takes place in the generated files. The separation
|
||||
// makes the code compile even when the generated files are missing.
|
||||
localSchemeBuilder.Register(addKnownTypes)
|
||||
}
|
||||
|
||||
// Adds the list of known types to Scheme.
|
||||
func addKnownTypes(scheme *runtime.Scheme) error {
|
||||
scheme.AddKnownTypes(SchemeGroupVersion,
|
||||
&PolicyException{},
|
||||
&PolicyExceptionList{},
|
||||
)
|
||||
// AddToGroupVersion allows the serialization of client types like ListOptions.
|
||||
v1.AddToGroupVersion(scheme, SchemeGroupVersion)
|
||||
return nil
|
||||
}
|
|
@ -25,7 +25,7 @@ import (
|
|||
// +kubebuilder:object:root=true
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:resource:shortName=polex,categories=kyverno
|
||||
// +kubebuilder:storageversion
|
||||
// +kubebuilder:deprecatedversion
|
||||
|
||||
// PolicyException declares resources to be excluded from specified policies.
|
||||
type PolicyException struct {
|
||||
|
|
|
@ -41827,6 +41827,597 @@ spec:
|
|||
singular: policyexception
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
policies.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: Spec declares policy exception behaviors.
|
||||
properties:
|
||||
background:
|
||||
description: Background controls if exceptions are applied to existing
|
||||
policies during a background scan. Optional. Default value is "true".
|
||||
The value must be set to "false" if the policy rule uses variables
|
||||
that are only available in the admission review request (e.g. user
|
||||
name).
|
||||
type: boolean
|
||||
conditions:
|
||||
description: Conditions are used to determine if a resource applies
|
||||
to the exception by evaluating a set of conditions. The declaration
|
||||
can contain nested `any` or `all` statements.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
exceptions:
|
||||
description: Exceptions is a list policy/rules to be excluded
|
||||
items:
|
||||
description: Exception stores infos about a policy and rules
|
||||
properties:
|
||||
policyName:
|
||||
description: PolicyName identifies the policy to which the exception
|
||||
is applied. The policy name uses the format <namespace>/<name>
|
||||
unless it references a ClusterPolicy.
|
||||
type: string
|
||||
ruleNames:
|
||||
description: RuleNames identifies the rules to which the exception
|
||||
is applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- policyName
|
||||
- ruleNames
|
||||
type: object
|
||||
type: array
|
||||
match:
|
||||
description: Match defines match clause used to check if a resource
|
||||
applies to the exception
|
||||
properties:
|
||||
all:
|
||||
description: All allows specifying resources which will be ANDed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: Any allows specifying resources which will be ORed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- exceptions
|
||||
- match
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
- deprecated: true
|
||||
name: v2alpha1
|
||||
schema:
|
||||
|
@ -42419,7 +43010,8 @@ spec:
|
|||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
- name: v2beta1
|
||||
- deprecated: true
|
||||
name: v2beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
|
@ -43009,7 +43601,7 @@ spec:
|
|||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
storage: false
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2alpha1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: delta-exception
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2alpha1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: delta-exception
|
||||
|
|
|
@ -40,7 +40,7 @@ func TestCommandWithAny(t *testing.T) {
|
|||
out, err := io.ReadAll(b)
|
||||
assert.NoError(t, err)
|
||||
expected := `
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: test
|
||||
|
@ -72,7 +72,7 @@ func TestCommandWithAll(t *testing.T) {
|
|||
out, err := io.ReadAll(b)
|
||||
assert.NoError(t, err)
|
||||
expected := `
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: test
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: {{ .Name }}
|
||||
|
|
|
@ -18,6 +18,597 @@ spec:
|
|||
singular: policyexception
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
policies.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: Spec declares policy exception behaviors.
|
||||
properties:
|
||||
background:
|
||||
description: Background controls if exceptions are applied to existing
|
||||
policies during a background scan. Optional. Default value is "true".
|
||||
The value must be set to "false" if the policy rule uses variables
|
||||
that are only available in the admission review request (e.g. user
|
||||
name).
|
||||
type: boolean
|
||||
conditions:
|
||||
description: Conditions are used to determine if a resource applies
|
||||
to the exception by evaluating a set of conditions. The declaration
|
||||
can contain nested `any` or `all` statements.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
exceptions:
|
||||
description: Exceptions is a list policy/rules to be excluded
|
||||
items:
|
||||
description: Exception stores infos about a policy and rules
|
||||
properties:
|
||||
policyName:
|
||||
description: PolicyName identifies the policy to which the exception
|
||||
is applied. The policy name uses the format <namespace>/<name>
|
||||
unless it references a ClusterPolicy.
|
||||
type: string
|
||||
ruleNames:
|
||||
description: RuleNames identifies the rules to which the exception
|
||||
is applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- policyName
|
||||
- ruleNames
|
||||
type: object
|
||||
type: array
|
||||
match:
|
||||
description: Match defines match clause used to check if a resource
|
||||
applies to the exception
|
||||
properties:
|
||||
all:
|
||||
description: All allows specifying resources which will be ANDed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: Any allows specifying resources which will be ORed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- exceptions
|
||||
- match
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
- deprecated: true
|
||||
name: v2alpha1
|
||||
schema:
|
||||
|
@ -610,7 +1201,8 @@ spec:
|
|||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
- name: v2beta1
|
||||
- deprecated: true
|
||||
name: v2beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
|
@ -1200,4 +1792,4 @@ spec:
|
|||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
storage: false
|
||||
|
|
|
@ -3,6 +3,7 @@ package exception
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data"
|
||||
|
@ -14,25 +15,26 @@ import (
|
|||
)
|
||||
|
||||
var (
|
||||
factory, _ = resourceloader.New(openapiclient.NewComposite(openapiclient.NewLocalCRDFiles(data.Crds(), data.CrdsFolder)))
|
||||
exceptionV1 = schema.GroupVersion(kyvernov2alpha1.GroupVersion).WithKind("PolicyException")
|
||||
exceptionV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("PolicyException")
|
||||
factory, _ = resourceloader.New(openapiclient.NewComposite(openapiclient.NewLocalCRDFiles(data.Crds(), data.CrdsFolder)))
|
||||
exceptionV2alpha1 = schema.GroupVersion(kyvernov2alpha1.GroupVersion).WithKind("PolicyException")
|
||||
exceptionV2beta1 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("PolicyException")
|
||||
exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
|
||||
)
|
||||
|
||||
func Load(content []byte) ([]*kyvernov2alpha1.PolicyException, error) {
|
||||
func Load(content []byte) ([]*kyvernov2.PolicyException, error) {
|
||||
documents, err := yamlutils.SplitDocuments(content)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var exceptions []*kyvernov2alpha1.PolicyException
|
||||
var exceptions []*kyvernov2.PolicyException
|
||||
for _, document := range documents {
|
||||
gvk, untyped, err := factory.Load(document)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
switch gvk {
|
||||
case exceptionV1, exceptionV2:
|
||||
exception, err := convert.To[kyvernov2alpha1.PolicyException](untyped)
|
||||
case exceptionV2alpha1, exceptionV2beta1, exceptionV2:
|
||||
exception, err := convert.To[kyvernov2.PolicyException](untyped)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -65,7 +65,7 @@ func NewExceptionSelector(
|
|||
var exceptionsLister engineapi.PolicyExceptionSelector
|
||||
if enablePolicyException {
|
||||
factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
||||
lister := factory.Kyverno().V2beta1().PolicyExceptions().Lister()
|
||||
lister := factory.Kyverno().V2().PolicyExceptions().Lister()
|
||||
if exceptionNamespace != "" {
|
||||
exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
|
||||
} else {
|
||||
|
|
|
@ -18,6 +18,597 @@ spec:
|
|||
singular: policyexception
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
policies.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: Spec declares policy exception behaviors.
|
||||
properties:
|
||||
background:
|
||||
description: Background controls if exceptions are applied to existing
|
||||
policies during a background scan. Optional. Default value is "true".
|
||||
The value must be set to "false" if the policy rule uses variables
|
||||
that are only available in the admission review request (e.g. user
|
||||
name).
|
||||
type: boolean
|
||||
conditions:
|
||||
description: Conditions are used to determine if a resource applies
|
||||
to the exception by evaluating a set of conditions. The declaration
|
||||
can contain nested `any` or `all` statements.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
exceptions:
|
||||
description: Exceptions is a list policy/rules to be excluded
|
||||
items:
|
||||
description: Exception stores infos about a policy and rules
|
||||
properties:
|
||||
policyName:
|
||||
description: PolicyName identifies the policy to which the exception
|
||||
is applied. The policy name uses the format <namespace>/<name>
|
||||
unless it references a ClusterPolicy.
|
||||
type: string
|
||||
ruleNames:
|
||||
description: RuleNames identifies the rules to which the exception
|
||||
is applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- policyName
|
||||
- ruleNames
|
||||
type: object
|
||||
type: array
|
||||
match:
|
||||
description: Match defines match clause used to check if a resource
|
||||
applies to the exception
|
||||
properties:
|
||||
all:
|
||||
description: All allows specifying resources which will be ANDed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: Any allows specifying resources which will be ORed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- exceptions
|
||||
- match
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
- deprecated: true
|
||||
name: v2alpha1
|
||||
schema:
|
||||
|
@ -610,7 +1201,8 @@ spec:
|
|||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
- name: v2beta1
|
||||
- deprecated: true
|
||||
name: v2beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
|
@ -1200,4 +1792,4 @@ spec:
|
|||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
storage: false
|
||||
|
|
|
@ -42050,6 +42050,597 @@ spec:
|
|||
singular: policyexception
|
||||
scope: Namespaced
|
||||
versions:
|
||||
- name: v2
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
policies.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
type: string
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: Spec declares policy exception behaviors.
|
||||
properties:
|
||||
background:
|
||||
description: Background controls if exceptions are applied to existing
|
||||
policies during a background scan. Optional. Default value is "true".
|
||||
The value must be set to "false" if the policy rule uses variables
|
||||
that are only available in the admission review request (e.g. user
|
||||
name).
|
||||
type: boolean
|
||||
conditions:
|
||||
description: Conditions are used to determine if a resource applies
|
||||
to the exception by evaluating a set of conditions. The declaration
|
||||
can contain nested `any` or `all` statements.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
description: Key is the context entry (using JMESPath) for
|
||||
conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
message:
|
||||
description: Message is an optional display message
|
||||
type: string
|
||||
operator:
|
||||
description: 'Operator is the conditional operation to perform.
|
||||
Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
|
||||
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
|
||||
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
|
||||
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
|
||||
enum:
|
||||
- Equals
|
||||
- NotEquals
|
||||
- AnyIn
|
||||
- AllIn
|
||||
- AnyNotIn
|
||||
- AllNotIn
|
||||
- GreaterThanOrEquals
|
||||
- GreaterThan
|
||||
- LessThanOrEquals
|
||||
- LessThan
|
||||
- DurationGreaterThanOrEquals
|
||||
- DurationGreaterThan
|
||||
- DurationLessThanOrEquals
|
||||
- DurationLessThan
|
||||
type: string
|
||||
value:
|
||||
description: Value is the conditional value, or set of values.
|
||||
The values can be fixed set or can be variables declared
|
||||
using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
exceptions:
|
||||
description: Exceptions is a list policy/rules to be excluded
|
||||
items:
|
||||
description: Exception stores infos about a policy and rules
|
||||
properties:
|
||||
policyName:
|
||||
description: PolicyName identifies the policy to which the exception
|
||||
is applied. The policy name uses the format <namespace>/<name>
|
||||
unless it references a ClusterPolicy.
|
||||
type: string
|
||||
ruleNames:
|
||||
description: RuleNames identifies the rules to which the exception
|
||||
is applied.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- policyName
|
||||
- ruleNames
|
||||
type: object
|
||||
type: array
|
||||
match:
|
||||
description: Match defines match clause used to check if a resource
|
||||
applies to the exception
|
||||
properties:
|
||||
all:
|
||||
description: All allows specifying resources which will be ANDed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
any:
|
||||
description: Any allows specifying resources which will be ORed
|
||||
items:
|
||||
description: ResourceFilter allow users to "AND" or "OR" between
|
||||
resources
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Annotations is a map of annotations (key-value
|
||||
pairs of type string). Annotation keys and values
|
||||
support the wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (matches at least one
|
||||
character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: 'Name is the name of the resource. The
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
NOTE: "Name" is being deprecated in favor of "Names".'
|
||||
type: string
|
||||
names:
|
||||
description: Names are the names of the resources. Each
|
||||
name supports wildcard characters "*" (matches zero
|
||||
or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
namespaceSelector:
|
||||
description: 'NamespaceSelector is a label selector
|
||||
for the resource namespace. Label keys and values
|
||||
in `matchLabels` support the wildcard characters `*`
|
||||
(matches zero or many characters) and `?` (matches
|
||||
one character).Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
operations:
|
||||
description: Operations can contain values ["CREATE,
|
||||
"UPDATE", "CONNECT", "DELETE"], which are used to
|
||||
match a specific action.
|
||||
items:
|
||||
description: AdmissionOperation can have one of the
|
||||
values CREATE, UPDATE, CONNECT, DELETE, which are
|
||||
used to match a specific action.
|
||||
enum:
|
||||
- CREATE
|
||||
- CONNECT
|
||||
- UPDATE
|
||||
- DELETE
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: 'Selector is a label selector. Label keys
|
||||
and values in `matchLabels` support the wildcard characters
|
||||
`*` (matches zero or many characters) and `?` (matches
|
||||
one character). Wildcards allows writing label selectors
|
||||
like ["storage.k8s.io/*": "*"]. Note that using ["*"
|
||||
: "*"] matches any key and value but does not match
|
||||
an empty label set.'
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are ANDed.
|
||||
items:
|
||||
description: A label selector requirement is a
|
||||
selector that contains values, a key, and an
|
||||
operator that relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: operator represents a key's relationship
|
||||
to a set of values. Valid operators are
|
||||
In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: values is an array of string
|
||||
values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the
|
||||
operator is Exists or DoesNotExist, the
|
||||
values array must be empty. This array is
|
||||
replaced during a strategic merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: matchLabels is a map of {key,value}
|
||||
pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions,
|
||||
whose key field is "key", the operator is "In",
|
||||
and the values array contains only "value". The
|
||||
requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: object
|
||||
roles:
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
can either hold a direct API object reference, or a
|
||||
value for non-objects such as user and group names.
|
||||
properties:
|
||||
apiGroup:
|
||||
description: APIGroup holds the API group of the referenced
|
||||
subject. Defaults to "" for ServiceAccount subjects.
|
||||
Defaults to "rbac.authorization.k8s.io" for User
|
||||
and Group subjects.
|
||||
type: string
|
||||
kind:
|
||||
description: Kind of object being referenced. Values
|
||||
defined by this API group are "User", "Group", and
|
||||
"ServiceAccount". If the Authorizer does not recognized
|
||||
the kind value, the Authorizer should report an
|
||||
error.
|
||||
type: string
|
||||
name:
|
||||
description: Name of the object being referenced.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace of the referenced object. If
|
||||
the object kind is non-namespace, such as "User"
|
||||
or "Group", and this value is not empty the Authorizer
|
||||
should report an error.
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
required:
|
||||
- exceptions
|
||||
- match
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
- deprecated: true
|
||||
name: v2alpha1
|
||||
schema:
|
||||
|
@ -42642,7 +43233,8 @@ spec:
|
|||
type: object
|
||||
served: true
|
||||
storage: false
|
||||
- name: v2beta1
|
||||
- deprecated: true
|
||||
name: v2beta1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: PolicyException declares resources to be excluded from specified
|
||||
|
@ -43232,7 +43824,7 @@ spec:
|
|||
- spec
|
||||
type: object
|
||||
served: true
|
||||
storage: true
|
||||
storage: false
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
|
|
|
@ -27,6 +27,9 @@ background-color: #1589dd;
|
|||
<a href="#kyverno.io%2fv1beta1"><b style="color: white">kyverno.io/v1beta1</b></a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="#kyverno.io%2fv2"><b style="color: white">kyverno.io/v2</b></a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="#kyverno.io%2fv2alpha1"><b style="color: white">kyverno.io/v2alpha1</b></a>
|
||||
</li>
|
||||
<li>
|
||||
|
@ -5431,6 +5434,250 @@ int
|
|||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h2 id="kyverno.io/v2">kyverno.io/v2</h2>
|
||||
<p>
|
||||
</p>
|
||||
Resource Types:
|
||||
<ul><li>
|
||||
<a href="#kyverno.io/v2.PolicyException">PolicyException</a>
|
||||
</li></ul>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v2.PolicyException">PolicyException
|
||||
</h3>
|
||||
<p>
|
||||
<p>PolicyException declares resources to be excluded from specified policies.</p>
|
||||
</p>
|
||||
<table class="table table-striped">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>apiVersion</code><br/>
|
||||
string</td>
|
||||
<td>
|
||||
<code>
|
||||
kyverno.io/v2
|
||||
</code>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>kind</code><br/>
|
||||
string
|
||||
</td>
|
||||
<td><code>PolicyException</code></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>metadata</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
|
||||
Kubernetes meta/v1.ObjectMeta
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
Refer to the Kubernetes API documentation for the fields of the
|
||||
<code>metadata</code> field.
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>spec</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2.PolicyExceptionSpec">
|
||||
PolicyExceptionSpec
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Spec declares policy exception behaviors.</p>
|
||||
<br/>
|
||||
<br/>
|
||||
<table class="table table-striped">
|
||||
<tr>
|
||||
<td>
|
||||
<code>background</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Background controls if exceptions are applied to existing policies during a background scan.
|
||||
Optional. Default value is “true”. The value must be set to “false” if the policy rule
|
||||
uses variables that are only available in the admission review request (e.g. user name).</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>match</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Match defines match clause used to check if a resource applies to the exception</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>conditions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2beta1.AnyAllConditions">
|
||||
AnyAllConditions
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Conditions are used to determine if a resource applies to the exception by evaluating a
|
||||
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>exceptions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2.Exception">
|
||||
[]Exception
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Exceptions is a list policy/rules to be excluded</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v2.Exception">Exception
|
||||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>Exception stores infos about a policy and rules</p>
|
||||
</p>
|
||||
<table class="table table-striped">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>policyName</code><br/>
|
||||
<em>
|
||||
string
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>PolicyName identifies the policy to which the exception is applied.
|
||||
The policy name uses the format <namespace>/<name> unless it
|
||||
references a ClusterPolicy.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>ruleNames</code><br/>
|
||||
<em>
|
||||
[]string
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>RuleNames identifies the rules to which the exception is applied.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h3 id="kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec
|
||||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v2.PolicyException">PolicyException</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>PolicyExceptionSpec stores policy exception spec</p>
|
||||
</p>
|
||||
<table class="table table-striped">
|
||||
<thead class="thead-dark">
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>background</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Background controls if exceptions are applied to existing policies during a background scan.
|
||||
Optional. Default value is “true”. The value must be set to “false” if the policy rule
|
||||
uses variables that are only available in the admission review request (e.g. user name).</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>match</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2beta1.MatchResources">
|
||||
MatchResources
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Match defines match clause used to check if a resource applies to the exception</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>conditions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2beta1.AnyAllConditions">
|
||||
AnyAllConditions
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Conditions are used to determine if a resource applies to the exception by evaluating a
|
||||
set of conditions. The declaration can contain nested <code>any</code> or <code>all</code> statements.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>exceptions</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v2.Exception">
|
||||
[]Exception
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Exceptions is a list policy/rules to be excluded</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<hr />
|
||||
<h2 id="kyverno.io/v2alpha1">kyverno.io/v2alpha1</h2>
|
||||
<p>
|
||||
</p>
|
||||
|
@ -6821,6 +7068,7 @@ set of conditions. The declaration can contain nested <code>any</code> or <code>
|
|||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.CleanupPolicySpec">CleanupPolicySpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Deny">Deny</a>,
|
||||
<a href="#kyverno.io/v2beta1.PolicyExceptionSpec">PolicyExceptionSpec</a>,
|
||||
|
@ -7329,6 +7577,7 @@ bool
|
|||
</h3>
|
||||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v2.PolicyExceptionSpec">PolicyExceptionSpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.CleanupPolicySpec">CleanupPolicySpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.PolicyExceptionSpec">PolicyExceptionSpec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Rule">Rule</a>)
|
||||
|
|
50
pkg/client/applyconfigurations/kyverno/v2/exception.go
Normal file
50
pkg/client/applyconfigurations/kyverno/v2/exception.go
Normal file
|
@ -0,0 +1,50 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
// ExceptionApplyConfiguration represents an declarative configuration of the Exception type for use
|
||||
// with apply.
|
||||
type ExceptionApplyConfiguration struct {
|
||||
PolicyName *string `json:"policyName,omitempty"`
|
||||
RuleNames []string `json:"ruleNames,omitempty"`
|
||||
}
|
||||
|
||||
// ExceptionApplyConfiguration constructs an declarative configuration of the Exception type for use with
|
||||
// apply.
|
||||
func Exception() *ExceptionApplyConfiguration {
|
||||
return &ExceptionApplyConfiguration{}
|
||||
}
|
||||
|
||||
// WithPolicyName sets the PolicyName field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the PolicyName field is set to the value of the last call.
|
||||
func (b *ExceptionApplyConfiguration) WithPolicyName(value string) *ExceptionApplyConfiguration {
|
||||
b.PolicyName = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithRuleNames adds the given value to the RuleNames field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the RuleNames field.
|
||||
func (b *ExceptionApplyConfiguration) WithRuleNames(values ...string) *ExceptionApplyConfiguration {
|
||||
for i := range values {
|
||||
b.RuleNames = append(b.RuleNames, values[i])
|
||||
}
|
||||
return b
|
||||
}
|
210
pkg/client/applyconfigurations/kyverno/v2/policyexception.go
Normal file
210
pkg/client/applyconfigurations/kyverno/v2/policyexception.go
Normal file
|
@ -0,0 +1,210 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
types "k8s.io/apimachinery/pkg/types"
|
||||
v1 "k8s.io/client-go/applyconfigurations/meta/v1"
|
||||
)
|
||||
|
||||
// PolicyExceptionApplyConfiguration represents an declarative configuration of the PolicyException type for use
|
||||
// with apply.
|
||||
type PolicyExceptionApplyConfiguration struct {
|
||||
v1.TypeMetaApplyConfiguration `json:",omitempty,inline"`
|
||||
*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
|
||||
Spec *PolicyExceptionSpecApplyConfiguration `json:"spec,omitempty"`
|
||||
}
|
||||
|
||||
// PolicyException constructs an declarative configuration of the PolicyException type for use with
|
||||
// apply.
|
||||
func PolicyException(name, namespace string) *PolicyExceptionApplyConfiguration {
|
||||
b := &PolicyExceptionApplyConfiguration{}
|
||||
b.WithName(name)
|
||||
b.WithNamespace(namespace)
|
||||
b.WithKind("PolicyException")
|
||||
b.WithAPIVersion("kyverno.io/v2")
|
||||
return b
|
||||
}
|
||||
|
||||
// WithKind sets the Kind field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Kind field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithKind(value string) *PolicyExceptionApplyConfiguration {
|
||||
b.Kind = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the APIVersion field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithAPIVersion(value string) *PolicyExceptionApplyConfiguration {
|
||||
b.APIVersion = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithName sets the Name field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Name field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithName(value string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.Name = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the GenerateName field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithGenerateName(value string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.GenerateName = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithNamespace sets the Namespace field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Namespace field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithNamespace(value string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.Namespace = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithUID sets the UID field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the UID field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithUID(value types.UID) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.UID = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ResourceVersion field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithResourceVersion(value string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.ResourceVersion = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithGeneration sets the Generation field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Generation field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithGeneration(value int64) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.Generation = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the CreationTimestamp field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithCreationTimestamp(value metav1.Time) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.CreationTimestamp = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.DeletionTimestamp = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
b.DeletionGracePeriodSeconds = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithLabels puts the entries into the Labels field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, the entries provided by each call will be put on the Labels field,
|
||||
// overwriting an existing map entries in Labels field with the same key.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithLabels(entries map[string]string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
if b.Labels == nil && len(entries) > 0 {
|
||||
b.Labels = make(map[string]string, len(entries))
|
||||
}
|
||||
for k, v := range entries {
|
||||
b.Labels[k] = v
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
// WithAnnotations puts the entries into the Annotations field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, the entries provided by each call will be put on the Annotations field,
|
||||
// overwriting an existing map entries in Annotations field with the same key.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithAnnotations(entries map[string]string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
if b.Annotations == nil && len(entries) > 0 {
|
||||
b.Annotations = make(map[string]string, len(entries))
|
||||
}
|
||||
for k, v := range entries {
|
||||
b.Annotations[k] = v
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
for i := range values {
|
||||
if values[i] == nil {
|
||||
panic("nil value passed to WithOwnerReferences")
|
||||
}
|
||||
b.OwnerReferences = append(b.OwnerReferences, *values[i])
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the Finalizers field.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithFinalizers(values ...string) *PolicyExceptionApplyConfiguration {
|
||||
b.ensureObjectMetaApplyConfigurationExists()
|
||||
for i := range values {
|
||||
b.Finalizers = append(b.Finalizers, values[i])
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
func (b *PolicyExceptionApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
|
||||
if b.ObjectMetaApplyConfiguration == nil {
|
||||
b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
|
||||
}
|
||||
}
|
||||
|
||||
// WithSpec sets the Spec field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Spec field is set to the value of the last call.
|
||||
func (b *PolicyExceptionApplyConfiguration) WithSpec(value *PolicyExceptionSpecApplyConfiguration) *PolicyExceptionApplyConfiguration {
|
||||
b.Spec = value
|
||||
return b
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by applyconfiguration-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
v2beta1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2beta1"
|
||||
)
|
||||
|
||||
// PolicyExceptionSpecApplyConfiguration represents an declarative configuration of the PolicyExceptionSpec type for use
|
||||
// with apply.
|
||||
type PolicyExceptionSpecApplyConfiguration struct {
|
||||
Background *bool `json:"background,omitempty"`
|
||||
Match *v2beta1.MatchResourcesApplyConfiguration `json:"match,omitempty"`
|
||||
Conditions *v2beta1.AnyAllConditionsApplyConfiguration `json:"conditions,omitempty"`
|
||||
Exceptions []ExceptionApplyConfiguration `json:"exceptions,omitempty"`
|
||||
}
|
||||
|
||||
// PolicyExceptionSpecApplyConfiguration constructs an declarative configuration of the PolicyExceptionSpec type for use with
|
||||
// apply.
|
||||
func PolicyExceptionSpec() *PolicyExceptionSpecApplyConfiguration {
|
||||
return &PolicyExceptionSpecApplyConfiguration{}
|
||||
}
|
||||
|
||||
// WithBackground sets the Background field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Background field is set to the value of the last call.
|
||||
func (b *PolicyExceptionSpecApplyConfiguration) WithBackground(value bool) *PolicyExceptionSpecApplyConfiguration {
|
||||
b.Background = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithMatch sets the Match field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Match field is set to the value of the last call.
|
||||
func (b *PolicyExceptionSpecApplyConfiguration) WithMatch(value *v2beta1.MatchResourcesApplyConfiguration) *PolicyExceptionSpecApplyConfiguration {
|
||||
b.Match = value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithConditions sets the Conditions field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Conditions field is set to the value of the last call.
|
||||
func (b *PolicyExceptionSpecApplyConfiguration) WithConditions(value *v2beta1.AnyAllConditionsApplyConfiguration) *PolicyExceptionSpecApplyConfiguration {
|
||||
b.Conditions = value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithExceptions adds the given value to the Exceptions field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the Exceptions field.
|
||||
func (b *PolicyExceptionSpecApplyConfiguration) WithExceptions(values ...*ExceptionApplyConfiguration) *PolicyExceptionSpecApplyConfiguration {
|
||||
for i := range values {
|
||||
if values[i] == nil {
|
||||
panic("nil value passed to WithExceptions")
|
||||
}
|
||||
b.Exceptions = append(b.Exceptions, *values[i])
|
||||
}
|
||||
return b
|
||||
}
|
|
@ -22,12 +22,14 @@ import (
|
|||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
v1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
v1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1alpha2"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2alpha1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v2beta1"
|
||||
applyconfigurationspolicyreportv1alpha2 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/policyreport/v1alpha2"
|
||||
|
@ -168,6 +170,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
|
|||
case v1beta1.SchemeGroupVersion.WithKind("UpdateRequestStatus"):
|
||||
return &kyvernov1beta1.UpdateRequestStatusApplyConfiguration{}
|
||||
|
||||
// Group=kyverno.io, Version=v2
|
||||
case v2.SchemeGroupVersion.WithKind("Exception"):
|
||||
return &kyvernov2.ExceptionApplyConfiguration{}
|
||||
case v2.SchemeGroupVersion.WithKind("PolicyException"):
|
||||
return &kyvernov2.PolicyExceptionApplyConfiguration{}
|
||||
case v2.SchemeGroupVersion.WithKind("PolicyExceptionSpec"):
|
||||
return &kyvernov2.PolicyExceptionSpecApplyConfiguration{}
|
||||
|
||||
// Group=kyverno.io, Version=v2alpha1
|
||||
case v2alpha1.SchemeGroupVersion.WithKind("CleanupPolicy"):
|
||||
return &kyvernov2alpha1.CleanupPolicyApplyConfiguration{}
|
||||
|
|
|
@ -25,6 +25,7 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha2"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2beta1"
|
||||
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha2"
|
||||
|
@ -38,6 +39,7 @@ type Interface interface {
|
|||
KyvernoV1() kyvernov1.KyvernoV1Interface
|
||||
KyvernoV1alpha2() kyvernov1alpha2.KyvernoV1alpha2Interface
|
||||
KyvernoV1beta1() kyvernov1beta1.KyvernoV1beta1Interface
|
||||
KyvernoV2() kyvernov2.KyvernoV2Interface
|
||||
KyvernoV2beta1() kyvernov2beta1.KyvernoV2beta1Interface
|
||||
KyvernoV2alpha1() kyvernov2alpha1.KyvernoV2alpha1Interface
|
||||
Wgpolicyk8sV1alpha2() wgpolicyk8sv1alpha2.Wgpolicyk8sV1alpha2Interface
|
||||
|
@ -49,6 +51,7 @@ type Clientset struct {
|
|||
kyvernoV1 *kyvernov1.KyvernoV1Client
|
||||
kyvernoV1alpha2 *kyvernov1alpha2.KyvernoV1alpha2Client
|
||||
kyvernoV1beta1 *kyvernov1beta1.KyvernoV1beta1Client
|
||||
kyvernoV2 *kyvernov2.KyvernoV2Client
|
||||
kyvernoV2beta1 *kyvernov2beta1.KyvernoV2beta1Client
|
||||
kyvernoV2alpha1 *kyvernov2alpha1.KyvernoV2alpha1Client
|
||||
wgpolicyk8sV1alpha2 *wgpolicyk8sv1alpha2.Wgpolicyk8sV1alpha2Client
|
||||
|
@ -69,6 +72,11 @@ func (c *Clientset) KyvernoV1beta1() kyvernov1beta1.KyvernoV1beta1Interface {
|
|||
return c.kyvernoV1beta1
|
||||
}
|
||||
|
||||
// KyvernoV2 retrieves the KyvernoV2Client
|
||||
func (c *Clientset) KyvernoV2() kyvernov2.KyvernoV2Interface {
|
||||
return c.kyvernoV2
|
||||
}
|
||||
|
||||
// KyvernoV2beta1 retrieves the KyvernoV2beta1Client
|
||||
func (c *Clientset) KyvernoV2beta1() kyvernov2beta1.KyvernoV2beta1Interface {
|
||||
return c.kyvernoV2beta1
|
||||
|
@ -140,6 +148,10 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cs.kyvernoV2, err = kyvernov2.NewForConfigAndClient(&configShallowCopy, httpClient)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cs.kyvernoV2beta1, err = kyvernov2beta1.NewForConfigAndClient(&configShallowCopy, httpClient)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -176,6 +188,7 @@ func New(c rest.Interface) *Clientset {
|
|||
cs.kyvernoV1 = kyvernov1.New(c)
|
||||
cs.kyvernoV1alpha2 = kyvernov1alpha2.New(c)
|
||||
cs.kyvernoV1beta1 = kyvernov1beta1.New(c)
|
||||
cs.kyvernoV2 = kyvernov2.New(c)
|
||||
cs.kyvernoV2beta1 = kyvernov2beta1.New(c)
|
||||
cs.kyvernoV2alpha1 = kyvernov2alpha1.New(c)
|
||||
cs.wgpolicyk8sV1alpha2 = wgpolicyk8sv1alpha2.New(c)
|
||||
|
|
|
@ -26,6 +26,8 @@ import (
|
|||
fakekyvernov1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha2/fake"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1"
|
||||
fakekyvernov1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1/fake"
|
||||
kyvernov2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
|
||||
fakekyvernov2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2/fake"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
|
||||
fakekyvernov2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1/fake"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2beta1"
|
||||
|
@ -104,6 +106,11 @@ func (c *Clientset) KyvernoV1beta1() kyvernov1beta1.KyvernoV1beta1Interface {
|
|||
return &fakekyvernov1beta1.FakeKyvernoV1beta1{Fake: &c.Fake}
|
||||
}
|
||||
|
||||
// KyvernoV2 retrieves the KyvernoV2Client
|
||||
func (c *Clientset) KyvernoV2() kyvernov2.KyvernoV2Interface {
|
||||
return &fakekyvernov2.FakeKyvernoV2{Fake: &c.Fake}
|
||||
}
|
||||
|
||||
// KyvernoV2beta1 retrieves the KyvernoV2beta1Client
|
||||
func (c *Clientset) KyvernoV2beta1() kyvernov2beta1.KyvernoV2beta1Interface {
|
||||
return &fakekyvernov2beta1.FakeKyvernoV2beta1{Fake: &c.Fake}
|
||||
|
|
|
@ -22,6 +22,7 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
|
@ -39,6 +40,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
|
|||
kyvernov1.AddToScheme,
|
||||
kyvernov1alpha2.AddToScheme,
|
||||
kyvernov1beta1.AddToScheme,
|
||||
kyvernov2.AddToScheme,
|
||||
kyvernov2beta1.AddToScheme,
|
||||
kyvernov2alpha1.AddToScheme,
|
||||
wgpolicyk8sv1alpha2.AddToScheme,
|
||||
|
|
|
@ -22,6 +22,7 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
|
@ -39,6 +40,7 @@ var localSchemeBuilder = runtime.SchemeBuilder{
|
|||
kyvernov1.AddToScheme,
|
||||
kyvernov1alpha2.AddToScheme,
|
||||
kyvernov1beta1.AddToScheme,
|
||||
kyvernov2.AddToScheme,
|
||||
kyvernov2beta1.AddToScheme,
|
||||
kyvernov2alpha1.AddToScheme,
|
||||
wgpolicyk8sv1alpha2.AddToScheme,
|
||||
|
|
20
pkg/client/clientset/versioned/typed/kyverno/v2/doc.go
Normal file
20
pkg/client/clientset/versioned/typed/kyverno/v2/doc.go
Normal file
|
@ -0,0 +1,20 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
// This package has the automatically generated typed clients.
|
||||
package v2
|
20
pkg/client/clientset/versioned/typed/kyverno/v2/fake/doc.go
Normal file
20
pkg/client/clientset/versioned/typed/kyverno/v2/fake/doc.go
Normal file
|
@ -0,0 +1,20 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
// Package fake has the automatically generated clients.
|
||||
package fake
|
|
@ -0,0 +1,40 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
package fake
|
||||
|
||||
import (
|
||||
v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
|
||||
rest "k8s.io/client-go/rest"
|
||||
testing "k8s.io/client-go/testing"
|
||||
)
|
||||
|
||||
type FakeKyvernoV2 struct {
|
||||
*testing.Fake
|
||||
}
|
||||
|
||||
func (c *FakeKyvernoV2) PolicyExceptions(namespace string) v2.PolicyExceptionInterface {
|
||||
return &FakePolicyExceptions{c, namespace}
|
||||
}
|
||||
|
||||
// RESTClient returns a RESTClient that is used to communicate
|
||||
// with API server by this client implementation.
|
||||
func (c *FakeKyvernoV2) RESTClient() rest.Interface {
|
||||
var ret *rest.RESTClient
|
||||
return ret
|
||||
}
|
|
@ -0,0 +1,129 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
package fake
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
labels "k8s.io/apimachinery/pkg/labels"
|
||||
types "k8s.io/apimachinery/pkg/types"
|
||||
watch "k8s.io/apimachinery/pkg/watch"
|
||||
testing "k8s.io/client-go/testing"
|
||||
)
|
||||
|
||||
// FakePolicyExceptions implements PolicyExceptionInterface
|
||||
type FakePolicyExceptions struct {
|
||||
Fake *FakeKyvernoV2
|
||||
ns string
|
||||
}
|
||||
|
||||
var policyexceptionsResource = v2.SchemeGroupVersion.WithResource("policyexceptions")
|
||||
|
||||
var policyexceptionsKind = v2.SchemeGroupVersion.WithKind("PolicyException")
|
||||
|
||||
// Get takes name of the policyException, and returns the corresponding policyException object, and an error if there is any.
|
||||
func (c *FakePolicyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.PolicyException, err error) {
|
||||
obj, err := c.Fake.
|
||||
Invokes(testing.NewGetAction(policyexceptionsResource, c.ns, name), &v2.PolicyException{})
|
||||
|
||||
if obj == nil {
|
||||
return nil, err
|
||||
}
|
||||
return obj.(*v2.PolicyException), err
|
||||
}
|
||||
|
||||
// List takes label and field selectors, and returns the list of PolicyExceptions that match those selectors.
|
||||
func (c *FakePolicyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v2.PolicyExceptionList, err error) {
|
||||
obj, err := c.Fake.
|
||||
Invokes(testing.NewListAction(policyexceptionsResource, policyexceptionsKind, c.ns, opts), &v2.PolicyExceptionList{})
|
||||
|
||||
if obj == nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
label, _, _ := testing.ExtractFromListOptions(opts)
|
||||
if label == nil {
|
||||
label = labels.Everything()
|
||||
}
|
||||
list := &v2.PolicyExceptionList{ListMeta: obj.(*v2.PolicyExceptionList).ListMeta}
|
||||
for _, item := range obj.(*v2.PolicyExceptionList).Items {
|
||||
if label.Matches(labels.Set(item.Labels)) {
|
||||
list.Items = append(list.Items, item)
|
||||
}
|
||||
}
|
||||
return list, err
|
||||
}
|
||||
|
||||
// Watch returns a watch.Interface that watches the requested policyExceptions.
|
||||
func (c *FakePolicyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
|
||||
return c.Fake.
|
||||
InvokesWatch(testing.NewWatchAction(policyexceptionsResource, c.ns, opts))
|
||||
|
||||
}
|
||||
|
||||
// Create takes the representation of a policyException and creates it. Returns the server's representation of the policyException, and an error, if there is any.
|
||||
func (c *FakePolicyExceptions) Create(ctx context.Context, policyException *v2.PolicyException, opts v1.CreateOptions) (result *v2.PolicyException, err error) {
|
||||
obj, err := c.Fake.
|
||||
Invokes(testing.NewCreateAction(policyexceptionsResource, c.ns, policyException), &v2.PolicyException{})
|
||||
|
||||
if obj == nil {
|
||||
return nil, err
|
||||
}
|
||||
return obj.(*v2.PolicyException), err
|
||||
}
|
||||
|
||||
// Update takes the representation of a policyException and updates it. Returns the server's representation of the policyException, and an error, if there is any.
|
||||
func (c *FakePolicyExceptions) Update(ctx context.Context, policyException *v2.PolicyException, opts v1.UpdateOptions) (result *v2.PolicyException, err error) {
|
||||
obj, err := c.Fake.
|
||||
Invokes(testing.NewUpdateAction(policyexceptionsResource, c.ns, policyException), &v2.PolicyException{})
|
||||
|
||||
if obj == nil {
|
||||
return nil, err
|
||||
}
|
||||
return obj.(*v2.PolicyException), err
|
||||
}
|
||||
|
||||
// Delete takes name of the policyException and deletes it. Returns an error if one occurs.
|
||||
func (c *FakePolicyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
|
||||
_, err := c.Fake.
|
||||
Invokes(testing.NewDeleteActionWithOptions(policyexceptionsResource, c.ns, name, opts), &v2.PolicyException{})
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
// DeleteCollection deletes a collection of objects.
|
||||
func (c *FakePolicyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
|
||||
action := testing.NewDeleteCollectionAction(policyexceptionsResource, c.ns, listOpts)
|
||||
|
||||
_, err := c.Fake.Invokes(action, &v2.PolicyExceptionList{})
|
||||
return err
|
||||
}
|
||||
|
||||
// Patch applies the patch and returns the patched policyException.
|
||||
func (c *FakePolicyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.PolicyException, err error) {
|
||||
obj, err := c.Fake.
|
||||
Invokes(testing.NewPatchSubresourceAction(policyexceptionsResource, c.ns, name, pt, data, subresources...), &v2.PolicyException{})
|
||||
|
||||
if obj == nil {
|
||||
return nil, err
|
||||
}
|
||||
return obj.(*v2.PolicyException), err
|
||||
}
|
|
@ -0,0 +1,21 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
type PolicyExceptionExpansion interface{}
|
|
@ -0,0 +1,107 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
|
||||
rest "k8s.io/client-go/rest"
|
||||
)
|
||||
|
||||
type KyvernoV2Interface interface {
|
||||
RESTClient() rest.Interface
|
||||
PolicyExceptionsGetter
|
||||
}
|
||||
|
||||
// KyvernoV2Client is used to interact with features provided by the kyverno.io group.
|
||||
type KyvernoV2Client struct {
|
||||
restClient rest.Interface
|
||||
}
|
||||
|
||||
func (c *KyvernoV2Client) PolicyExceptions(namespace string) PolicyExceptionInterface {
|
||||
return newPolicyExceptions(c, namespace)
|
||||
}
|
||||
|
||||
// NewForConfig creates a new KyvernoV2Client for the given config.
|
||||
// NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
|
||||
// where httpClient was generated with rest.HTTPClientFor(c).
|
||||
func NewForConfig(c *rest.Config) (*KyvernoV2Client, error) {
|
||||
config := *c
|
||||
if err := setConfigDefaults(&config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
httpClient, err := rest.HTTPClientFor(&config)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewForConfigAndClient(&config, httpClient)
|
||||
}
|
||||
|
||||
// NewForConfigAndClient creates a new KyvernoV2Client for the given config and http client.
|
||||
// Note the http client provided takes precedence over the configured transport values.
|
||||
func NewForConfigAndClient(c *rest.Config, h *http.Client) (*KyvernoV2Client, error) {
|
||||
config := *c
|
||||
if err := setConfigDefaults(&config); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
client, err := rest.RESTClientForConfigAndClient(&config, h)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &KyvernoV2Client{client}, nil
|
||||
}
|
||||
|
||||
// NewForConfigOrDie creates a new KyvernoV2Client for the given config and
|
||||
// panics if there is an error in the config.
|
||||
func NewForConfigOrDie(c *rest.Config) *KyvernoV2Client {
|
||||
client, err := NewForConfig(c)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return client
|
||||
}
|
||||
|
||||
// New creates a new KyvernoV2Client for the given RESTClient.
|
||||
func New(c rest.Interface) *KyvernoV2Client {
|
||||
return &KyvernoV2Client{c}
|
||||
}
|
||||
|
||||
func setConfigDefaults(config *rest.Config) error {
|
||||
gv := v2.SchemeGroupVersion
|
||||
config.GroupVersion = &gv
|
||||
config.APIPath = "/apis"
|
||||
config.NegotiatedSerializer = scheme.Codecs.WithoutConversion()
|
||||
|
||||
if config.UserAgent == "" {
|
||||
config.UserAgent = rest.DefaultKubernetesUserAgent()
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// RESTClient returns a RESTClient that is used to communicate
|
||||
// with API server by this client implementation.
|
||||
func (c *KyvernoV2Client) RESTClient() rest.Interface {
|
||||
if c == nil {
|
||||
return nil
|
||||
}
|
||||
return c.restClient
|
||||
}
|
|
@ -0,0 +1,178 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by client-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
types "k8s.io/apimachinery/pkg/types"
|
||||
watch "k8s.io/apimachinery/pkg/watch"
|
||||
rest "k8s.io/client-go/rest"
|
||||
)
|
||||
|
||||
// PolicyExceptionsGetter has a method to return a PolicyExceptionInterface.
|
||||
// A group's client should implement this interface.
|
||||
type PolicyExceptionsGetter interface {
|
||||
PolicyExceptions(namespace string) PolicyExceptionInterface
|
||||
}
|
||||
|
||||
// PolicyExceptionInterface has methods to work with PolicyException resources.
|
||||
type PolicyExceptionInterface interface {
|
||||
Create(ctx context.Context, policyException *v2.PolicyException, opts v1.CreateOptions) (*v2.PolicyException, error)
|
||||
Update(ctx context.Context, policyException *v2.PolicyException, opts v1.UpdateOptions) (*v2.PolicyException, error)
|
||||
Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
|
||||
DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
|
||||
Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.PolicyException, error)
|
||||
List(ctx context.Context, opts v1.ListOptions) (*v2.PolicyExceptionList, error)
|
||||
Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
|
||||
Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.PolicyException, err error)
|
||||
PolicyExceptionExpansion
|
||||
}
|
||||
|
||||
// policyExceptions implements PolicyExceptionInterface
|
||||
type policyExceptions struct {
|
||||
client rest.Interface
|
||||
ns string
|
||||
}
|
||||
|
||||
// newPolicyExceptions returns a PolicyExceptions
|
||||
func newPolicyExceptions(c *KyvernoV2Client, namespace string) *policyExceptions {
|
||||
return &policyExceptions{
|
||||
client: c.RESTClient(),
|
||||
ns: namespace,
|
||||
}
|
||||
}
|
||||
|
||||
// Get takes name of the policyException, and returns the corresponding policyException object, and an error if there is any.
|
||||
func (c *policyExceptions) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.PolicyException, err error) {
|
||||
result = &v2.PolicyException{}
|
||||
err = c.client.Get().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
Name(name).
|
||||
VersionedParams(&options, scheme.ParameterCodec).
|
||||
Do(ctx).
|
||||
Into(result)
|
||||
return
|
||||
}
|
||||
|
||||
// List takes label and field selectors, and returns the list of PolicyExceptions that match those selectors.
|
||||
func (c *policyExceptions) List(ctx context.Context, opts v1.ListOptions) (result *v2.PolicyExceptionList, err error) {
|
||||
var timeout time.Duration
|
||||
if opts.TimeoutSeconds != nil {
|
||||
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
|
||||
}
|
||||
result = &v2.PolicyExceptionList{}
|
||||
err = c.client.Get().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
VersionedParams(&opts, scheme.ParameterCodec).
|
||||
Timeout(timeout).
|
||||
Do(ctx).
|
||||
Into(result)
|
||||
return
|
||||
}
|
||||
|
||||
// Watch returns a watch.Interface that watches the requested policyExceptions.
|
||||
func (c *policyExceptions) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
|
||||
var timeout time.Duration
|
||||
if opts.TimeoutSeconds != nil {
|
||||
timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
|
||||
}
|
||||
opts.Watch = true
|
||||
return c.client.Get().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
VersionedParams(&opts, scheme.ParameterCodec).
|
||||
Timeout(timeout).
|
||||
Watch(ctx)
|
||||
}
|
||||
|
||||
// Create takes the representation of a policyException and creates it. Returns the server's representation of the policyException, and an error, if there is any.
|
||||
func (c *policyExceptions) Create(ctx context.Context, policyException *v2.PolicyException, opts v1.CreateOptions) (result *v2.PolicyException, err error) {
|
||||
result = &v2.PolicyException{}
|
||||
err = c.client.Post().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
VersionedParams(&opts, scheme.ParameterCodec).
|
||||
Body(policyException).
|
||||
Do(ctx).
|
||||
Into(result)
|
||||
return
|
||||
}
|
||||
|
||||
// Update takes the representation of a policyException and updates it. Returns the server's representation of the policyException, and an error, if there is any.
|
||||
func (c *policyExceptions) Update(ctx context.Context, policyException *v2.PolicyException, opts v1.UpdateOptions) (result *v2.PolicyException, err error) {
|
||||
result = &v2.PolicyException{}
|
||||
err = c.client.Put().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
Name(policyException.Name).
|
||||
VersionedParams(&opts, scheme.ParameterCodec).
|
||||
Body(policyException).
|
||||
Do(ctx).
|
||||
Into(result)
|
||||
return
|
||||
}
|
||||
|
||||
// Delete takes name of the policyException and deletes it. Returns an error if one occurs.
|
||||
func (c *policyExceptions) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
|
||||
return c.client.Delete().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
Name(name).
|
||||
Body(&opts).
|
||||
Do(ctx).
|
||||
Error()
|
||||
}
|
||||
|
||||
// DeleteCollection deletes a collection of objects.
|
||||
func (c *policyExceptions) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
|
||||
var timeout time.Duration
|
||||
if listOpts.TimeoutSeconds != nil {
|
||||
timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
|
||||
}
|
||||
return c.client.Delete().
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
VersionedParams(&listOpts, scheme.ParameterCodec).
|
||||
Timeout(timeout).
|
||||
Body(&opts).
|
||||
Do(ctx).
|
||||
Error()
|
||||
}
|
||||
|
||||
// Patch applies the patch and returns the patched policyException.
|
||||
func (c *policyExceptions) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.PolicyException, err error) {
|
||||
result = &v2.PolicyException{}
|
||||
err = c.client.Patch(pt).
|
||||
Namespace(c.ns).
|
||||
Resource("policyexceptions").
|
||||
Name(name).
|
||||
SubResource(subresources...).
|
||||
VersionedParams(&opts, scheme.ParameterCodec).
|
||||
Body(data).
|
||||
Do(ctx).
|
||||
Into(result)
|
||||
return
|
||||
}
|
|
@ -24,6 +24,7 @@ import (
|
|||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
v1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
||||
v1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
v2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
|
@ -77,6 +78,10 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
|
|||
case v1beta1.SchemeGroupVersion.WithResource("updaterequests"):
|
||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V1beta1().UpdateRequests().Informer()}, nil
|
||||
|
||||
// Group=kyverno.io, Version=v2
|
||||
case v2.SchemeGroupVersion.WithResource("policyexceptions"):
|
||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().PolicyExceptions().Informer()}, nil
|
||||
|
||||
// Group=kyverno.io, Version=v2alpha1
|
||||
case v2alpha1.SchemeGroupVersion.WithResource("cleanuppolicies"):
|
||||
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2alpha1().CleanupPolicies().Informer()}, nil
|
||||
|
|
|
@ -23,6 +23,7 @@ import (
|
|||
v1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
v1alpha2 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1alpha2"
|
||||
v1beta1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1beta1"
|
||||
v2 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
|
||||
v2alpha1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
|
||||
v2beta1 "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
|
||||
)
|
||||
|
@ -35,6 +36,8 @@ type Interface interface {
|
|||
V1alpha2() v1alpha2.Interface
|
||||
// V1beta1 provides access to shared informers for resources in V1beta1.
|
||||
V1beta1() v1beta1.Interface
|
||||
// V2 provides access to shared informers for resources in V2.
|
||||
V2() v2.Interface
|
||||
// V2beta1 provides access to shared informers for resources in V2beta1.
|
||||
V2beta1() v2beta1.Interface
|
||||
// V2alpha1 provides access to shared informers for resources in V2alpha1.
|
||||
|
@ -67,6 +70,11 @@ func (g *group) V1beta1() v1beta1.Interface {
|
|||
return v1beta1.New(g.factory, g.namespace, g.tweakListOptions)
|
||||
}
|
||||
|
||||
// V2 returns a new v2.Interface.
|
||||
func (g *group) V2() v2.Interface {
|
||||
return v2.New(g.factory, g.namespace, g.tweakListOptions)
|
||||
}
|
||||
|
||||
// V2beta1 returns a new v2beta1.Interface.
|
||||
func (g *group) V2beta1() v2beta1.Interface {
|
||||
return v2beta1.New(g.factory, g.namespace, g.tweakListOptions)
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by informer-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
|
||||
)
|
||||
|
||||
// Interface provides access to all the informers in this group version.
|
||||
type Interface interface {
|
||||
// PolicyExceptions returns a PolicyExceptionInformer.
|
||||
PolicyExceptions() PolicyExceptionInformer
|
||||
}
|
||||
|
||||
type version struct {
|
||||
factory internalinterfaces.SharedInformerFactory
|
||||
namespace string
|
||||
tweakListOptions internalinterfaces.TweakListOptionsFunc
|
||||
}
|
||||
|
||||
// New returns a new Interface.
|
||||
func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakListOptions internalinterfaces.TweakListOptionsFunc) Interface {
|
||||
return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
|
||||
}
|
||||
|
||||
// PolicyExceptions returns a PolicyExceptionInformer.
|
||||
func (v *version) PolicyExceptions() PolicyExceptionInformer {
|
||||
return &policyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by informer-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
"context"
|
||||
time "time"
|
||||
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
|
||||
v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
watch "k8s.io/apimachinery/pkg/watch"
|
||||
cache "k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
// PolicyExceptionInformer provides access to a shared informer and lister for
|
||||
// PolicyExceptions.
|
||||
type PolicyExceptionInformer interface {
|
||||
Informer() cache.SharedIndexInformer
|
||||
Lister() v2.PolicyExceptionLister
|
||||
}
|
||||
|
||||
type policyExceptionInformer struct {
|
||||
factory internalinterfaces.SharedInformerFactory
|
||||
tweakListOptions internalinterfaces.TweakListOptionsFunc
|
||||
namespace string
|
||||
}
|
||||
|
||||
// NewPolicyExceptionInformer constructs a new informer for PolicyException type.
|
||||
// Always prefer using an informer factory to get a shared informer instead of getting an independent
|
||||
// one. This reduces memory footprint and number of connections to the server.
|
||||
func NewPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
|
||||
return NewFilteredPolicyExceptionInformer(client, namespace, resyncPeriod, indexers, nil)
|
||||
}
|
||||
|
||||
// NewFilteredPolicyExceptionInformer constructs a new informer for PolicyException type.
|
||||
// Always prefer using an informer factory to get a shared informer instead of getting an independent
|
||||
// one. This reduces memory footprint and number of connections to the server.
|
||||
func NewFilteredPolicyExceptionInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
|
||||
return cache.NewSharedIndexInformer(
|
||||
&cache.ListWatch{
|
||||
ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
|
||||
if tweakListOptions != nil {
|
||||
tweakListOptions(&options)
|
||||
}
|
||||
return client.KyvernoV2().PolicyExceptions(namespace).List(context.TODO(), options)
|
||||
},
|
||||
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
|
||||
if tweakListOptions != nil {
|
||||
tweakListOptions(&options)
|
||||
}
|
||||
return client.KyvernoV2().PolicyExceptions(namespace).Watch(context.TODO(), options)
|
||||
},
|
||||
},
|
||||
&kyvernov2.PolicyException{},
|
||||
resyncPeriod,
|
||||
indexers,
|
||||
)
|
||||
}
|
||||
|
||||
func (f *policyExceptionInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
|
||||
return NewFilteredPolicyExceptionInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
|
||||
}
|
||||
|
||||
func (f *policyExceptionInformer) Informer() cache.SharedIndexInformer {
|
||||
return f.factory.InformerFor(&kyvernov2.PolicyException{}, f.defaultInformer)
|
||||
}
|
||||
|
||||
func (f *policyExceptionInformer) Lister() v2.PolicyExceptionLister {
|
||||
return v2.NewPolicyExceptionLister(f.Informer().GetIndexer())
|
||||
}
|
27
pkg/client/listers/kyverno/v2/expansion_generated.go
Normal file
27
pkg/client/listers/kyverno/v2/expansion_generated.go
Normal file
|
@ -0,0 +1,27 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by lister-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
// PolicyExceptionListerExpansion allows custom methods to be added to
|
||||
// PolicyExceptionLister.
|
||||
type PolicyExceptionListerExpansion interface{}
|
||||
|
||||
// PolicyExceptionNamespaceListerExpansion allows custom methods to be added to
|
||||
// PolicyExceptionNamespaceLister.
|
||||
type PolicyExceptionNamespaceListerExpansion interface{}
|
99
pkg/client/listers/kyverno/v2/policyexception.go
Normal file
99
pkg/client/listers/kyverno/v2/policyexception.go
Normal file
|
@ -0,0 +1,99 @@
|
|||
/*
|
||||
Copyright The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
// Code generated by lister-gen. DO NOT EDIT.
|
||||
|
||||
package v2
|
||||
|
||||
import (
|
||||
v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
// PolicyExceptionLister helps list PolicyExceptions.
|
||||
// All objects returned here must be treated as read-only.
|
||||
type PolicyExceptionLister interface {
|
||||
// List lists all PolicyExceptions in the indexer.
|
||||
// Objects returned here must be treated as read-only.
|
||||
List(selector labels.Selector) (ret []*v2.PolicyException, err error)
|
||||
// PolicyExceptions returns an object that can list and get PolicyExceptions.
|
||||
PolicyExceptions(namespace string) PolicyExceptionNamespaceLister
|
||||
PolicyExceptionListerExpansion
|
||||
}
|
||||
|
||||
// policyExceptionLister implements the PolicyExceptionLister interface.
|
||||
type policyExceptionLister struct {
|
||||
indexer cache.Indexer
|
||||
}
|
||||
|
||||
// NewPolicyExceptionLister returns a new PolicyExceptionLister.
|
||||
func NewPolicyExceptionLister(indexer cache.Indexer) PolicyExceptionLister {
|
||||
return &policyExceptionLister{indexer: indexer}
|
||||
}
|
||||
|
||||
// List lists all PolicyExceptions in the indexer.
|
||||
func (s *policyExceptionLister) List(selector labels.Selector) (ret []*v2.PolicyException, err error) {
|
||||
err = cache.ListAll(s.indexer, selector, func(m interface{}) {
|
||||
ret = append(ret, m.(*v2.PolicyException))
|
||||
})
|
||||
return ret, err
|
||||
}
|
||||
|
||||
// PolicyExceptions returns an object that can list and get PolicyExceptions.
|
||||
func (s *policyExceptionLister) PolicyExceptions(namespace string) PolicyExceptionNamespaceLister {
|
||||
return policyExceptionNamespaceLister{indexer: s.indexer, namespace: namespace}
|
||||
}
|
||||
|
||||
// PolicyExceptionNamespaceLister helps list and get PolicyExceptions.
|
||||
// All objects returned here must be treated as read-only.
|
||||
type PolicyExceptionNamespaceLister interface {
|
||||
// List lists all PolicyExceptions in the indexer for a given namespace.
|
||||
// Objects returned here must be treated as read-only.
|
||||
List(selector labels.Selector) (ret []*v2.PolicyException, err error)
|
||||
// Get retrieves the PolicyException from the indexer for a given namespace and name.
|
||||
// Objects returned here must be treated as read-only.
|
||||
Get(name string) (*v2.PolicyException, error)
|
||||
PolicyExceptionNamespaceListerExpansion
|
||||
}
|
||||
|
||||
// policyExceptionNamespaceLister implements the PolicyExceptionNamespaceLister
|
||||
// interface.
|
||||
type policyExceptionNamespaceLister struct {
|
||||
indexer cache.Indexer
|
||||
namespace string
|
||||
}
|
||||
|
||||
// List lists all PolicyExceptions in the indexer for a given namespace.
|
||||
func (s policyExceptionNamespaceLister) List(selector labels.Selector) (ret []*v2.PolicyException, err error) {
|
||||
err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
|
||||
ret = append(ret, m.(*v2.PolicyException))
|
||||
})
|
||||
return ret, err
|
||||
}
|
||||
|
||||
// Get retrieves the PolicyException from the indexer for a given namespace and name.
|
||||
func (s policyExceptionNamespaceLister) Get(name string) (*v2.PolicyException, error) {
|
||||
obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !exists {
|
||||
return nil, errors.NewNotFound(v2.Resource("policyexception"), name)
|
||||
}
|
||||
return obj.(*v2.PolicyException), nil
|
||||
}
|
|
@ -6,6 +6,7 @@ import (
|
|||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha2"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1beta1"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2alpha1"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2beta1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2beta1"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policyreport_v1alpha2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha2"
|
||||
|
@ -13,6 +14,7 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov1"
|
||||
kyvernov1alpha2 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov1alpha2"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov1beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2alpha1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2beta1"
|
||||
wgpolicyk8sv1alpha2 "github.com/kyverno/kyverno/pkg/clients/kyverno/wgpolicyk8sv1alpha2"
|
||||
|
@ -25,6 +27,7 @@ type clientset struct {
|
|||
kyvernov1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1.KyvernoV1Interface
|
||||
kyvernov1alpha2 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1alpha2.KyvernoV1alpha2Interface
|
||||
kyvernov1beta1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1beta1.KyvernoV1beta1Interface
|
||||
kyvernov2 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
|
||||
kyvernov2alpha1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.KyvernoV2alpha1Interface
|
||||
kyvernov2beta1 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2beta1.KyvernoV2beta1Interface
|
||||
wgpolicyk8sv1alpha2 github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_policyreport_v1alpha2.Wgpolicyk8sV1alpha2Interface
|
||||
|
@ -42,6 +45,9 @@ func (c *clientset) KyvernoV1alpha2() github_com_kyverno_kyverno_pkg_client_clie
|
|||
func (c *clientset) KyvernoV1beta1() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v1beta1.KyvernoV1beta1Interface {
|
||||
return c.kyvernov1beta1
|
||||
}
|
||||
func (c *clientset) KyvernoV2() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
|
||||
return c.kyvernov2
|
||||
}
|
||||
func (c *clientset) KyvernoV2alpha1() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2alpha1.KyvernoV2alpha1Interface {
|
||||
return c.kyvernov2alpha1
|
||||
}
|
||||
|
@ -58,6 +64,7 @@ func WrapWithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versi
|
|||
kyvernov1: kyvernov1.WithMetrics(inner.KyvernoV1(), m, clientType),
|
||||
kyvernov1alpha2: kyvernov1alpha2.WithMetrics(inner.KyvernoV1alpha2(), m, clientType),
|
||||
kyvernov1beta1: kyvernov1beta1.WithMetrics(inner.KyvernoV1beta1(), m, clientType),
|
||||
kyvernov2: kyvernov2.WithMetrics(inner.KyvernoV2(), m, clientType),
|
||||
kyvernov2alpha1: kyvernov2alpha1.WithMetrics(inner.KyvernoV2alpha1(), m, clientType),
|
||||
kyvernov2beta1: kyvernov2beta1.WithMetrics(inner.KyvernoV2beta1(), m, clientType),
|
||||
wgpolicyk8sv1alpha2: wgpolicyk8sv1alpha2.WithMetrics(inner.Wgpolicyk8sV1alpha2(), m, clientType),
|
||||
|
@ -70,6 +77,7 @@ func WrapWithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versi
|
|||
kyvernov1: kyvernov1.WithTracing(inner.KyvernoV1(), "KyvernoV1"),
|
||||
kyvernov1alpha2: kyvernov1alpha2.WithTracing(inner.KyvernoV1alpha2(), "KyvernoV1alpha2"),
|
||||
kyvernov1beta1: kyvernov1beta1.WithTracing(inner.KyvernoV1beta1(), "KyvernoV1beta1"),
|
||||
kyvernov2: kyvernov2.WithTracing(inner.KyvernoV2(), "KyvernoV2"),
|
||||
kyvernov2alpha1: kyvernov2alpha1.WithTracing(inner.KyvernoV2alpha1(), "KyvernoV2alpha1"),
|
||||
kyvernov2beta1: kyvernov2beta1.WithTracing(inner.KyvernoV2beta1(), "KyvernoV2beta1"),
|
||||
wgpolicyk8sv1alpha2: wgpolicyk8sv1alpha2.WithTracing(inner.Wgpolicyk8sV1alpha2(), "Wgpolicyk8sV1alpha2"),
|
||||
|
@ -82,6 +90,7 @@ func WrapWithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versi
|
|||
kyvernov1: kyvernov1.WithLogging(inner.KyvernoV1(), logger.WithValues("group", "KyvernoV1")),
|
||||
kyvernov1alpha2: kyvernov1alpha2.WithLogging(inner.KyvernoV1alpha2(), logger.WithValues("group", "KyvernoV1alpha2")),
|
||||
kyvernov1beta1: kyvernov1beta1.WithLogging(inner.KyvernoV1beta1(), logger.WithValues("group", "KyvernoV1beta1")),
|
||||
kyvernov2: kyvernov2.WithLogging(inner.KyvernoV2(), logger.WithValues("group", "KyvernoV2")),
|
||||
kyvernov2alpha1: kyvernov2alpha1.WithLogging(inner.KyvernoV2alpha1(), logger.WithValues("group", "KyvernoV2alpha1")),
|
||||
kyvernov2beta1: kyvernov2beta1.WithLogging(inner.KyvernoV2beta1(), logger.WithValues("group", "KyvernoV2beta1")),
|
||||
wgpolicyk8sv1alpha2: wgpolicyk8sv1alpha2.WithLogging(inner.Wgpolicyk8sV1alpha2(), logger.WithValues("group", "Wgpolicyk8sV1alpha2")),
|
||||
|
|
59
pkg/clients/kyverno/kyvernov2/client.generated.go
Normal file
59
pkg/clients/kyverno/kyvernov2/client.generated.go
Normal file
|
@ -0,0 +1,59 @@
|
|||
package client
|
||||
|
||||
import (
|
||||
"github.com/go-logr/logr"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
|
||||
policyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/policyexceptions"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"k8s.io/client-go/rest"
|
||||
)
|
||||
|
||||
func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface, metrics metrics.MetricsConfigManager, clientType metrics.ClientType) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
|
||||
return &withMetrics{inner, metrics, clientType}
|
||||
}
|
||||
|
||||
func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface, client string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
|
||||
return &withTracing{inner, client}
|
||||
}
|
||||
|
||||
func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface {
|
||||
return &withLogging{inner, logger}
|
||||
}
|
||||
|
||||
type withMetrics struct {
|
||||
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
|
||||
metrics metrics.MetricsConfigManager
|
||||
clientType metrics.ClientType
|
||||
}
|
||||
|
||||
func (c *withMetrics) RESTClient() rest.Interface {
|
||||
return c.inner.RESTClient()
|
||||
}
|
||||
func (c *withMetrics) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
|
||||
recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "PolicyException", c.clientType)
|
||||
return policyexceptions.WithMetrics(c.inner.PolicyExceptions(namespace), recorder)
|
||||
}
|
||||
|
||||
type withTracing struct {
|
||||
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
|
||||
client string
|
||||
}
|
||||
|
||||
func (c *withTracing) RESTClient() rest.Interface {
|
||||
return c.inner.RESTClient()
|
||||
}
|
||||
func (c *withTracing) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
|
||||
return policyexceptions.WithTracing(c.inner.PolicyExceptions(namespace), c.client, "PolicyException")
|
||||
}
|
||||
|
||||
type withLogging struct {
|
||||
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.KyvernoV2Interface
|
||||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) RESTClient() rest.Interface {
|
||||
return c.inner.RESTClient()
|
||||
}
|
||||
func (c *withLogging) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
|
||||
return policyexceptions.WithLogging(c.inner.PolicyExceptions(namespace), c.logger.WithValues("resource", "PolicyExceptions").WithValues("namespace", namespace))
|
||||
}
|
|
@ -0,0 +1,337 @@
|
|||
package resource
|
||||
|
||||
import (
|
||||
context "context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/tracing"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
"go.uber.org/multierr"
|
||||
k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
|
||||
k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
|
||||
)
|
||||
|
||||
func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
|
||||
return &withLogging{inner, logger}
|
||||
}
|
||||
|
||||
func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
|
||||
return &withMetrics{inner, recorder}
|
||||
}
|
||||
|
||||
func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
|
||||
return &withTracing{inner, client, kind}
|
||||
}
|
||||
|
||||
type withLogging struct {
|
||||
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface
|
||||
logger logr.Logger
|
||||
}
|
||||
|
||||
func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Create")
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Create failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Create done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Delete")
|
||||
ret0 := c.inner.Delete(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret0); err != nil {
|
||||
logger.Error(err, "Delete failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Delete done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "DeleteCollection")
|
||||
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret0); err != nil {
|
||||
logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("DeleteCollection done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Get")
|
||||
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Get failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Get done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyExceptionList, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "List")
|
||||
ret0, ret1 := c.inner.List(arg0, arg1)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "List failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("List done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Patch")
|
||||
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Patch failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Patch done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Update")
|
||||
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Update failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Update done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
start := time.Now()
|
||||
logger := c.logger.WithValues("operation", "Watch")
|
||||
ret0, ret1 := c.inner.Watch(arg0, arg1)
|
||||
if err := multierr.Combine(ret1); err != nil {
|
||||
logger.Error(err, "Watch failed", "duration", time.Since(start))
|
||||
} else {
|
||||
logger.Info("Watch done", "duration", time.Since(start))
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
type withMetrics struct {
|
||||
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface
|
||||
recorder metrics.Recorder
|
||||
}
|
||||
|
||||
func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "create")
|
||||
return c.inner.Create(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
defer c.recorder.RecordWithContext(arg0, "delete")
|
||||
return c.inner.Delete(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
defer c.recorder.RecordWithContext(arg0, "delete_collection")
|
||||
return c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "get")
|
||||
return c.inner.Get(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyExceptionList, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "list")
|
||||
return c.inner.List(arg0, arg1)
|
||||
}
|
||||
func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "patch")
|
||||
return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
}
|
||||
func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "update")
|
||||
return c.inner.Update(arg0, arg1, arg2)
|
||||
}
|
||||
func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
defer c.recorder.RecordWithContext(arg0, "watch")
|
||||
return c.inner.Watch(arg0, arg1)
|
||||
}
|
||||
|
||||
type withTracing struct {
|
||||
inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface
|
||||
client string
|
||||
kind string
|
||||
}
|
||||
|
||||
func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Create"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Delete"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0 := c.inner.Delete(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret0)
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("DeleteCollection"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret0)
|
||||
}
|
||||
return ret0
|
||||
}
|
||||
func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Get"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyExceptionList, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("List"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.List(arg0, arg1)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Patch"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.PolicyException, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Update"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
||||
func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
|
||||
var span trace.Span
|
||||
if tracing.IsInSpan(arg0) {
|
||||
arg0, span = tracing.StartChildSpan(
|
||||
arg0,
|
||||
"",
|
||||
fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
|
||||
trace.WithAttributes(
|
||||
tracing.KubeClientGroupKey.String(c.client),
|
||||
tracing.KubeClientKindKey.String(c.kind),
|
||||
tracing.KubeClientOperationKey.String("Watch"),
|
||||
),
|
||||
)
|
||||
defer span.End()
|
||||
}
|
||||
ret0, ret1 := c.inner.Watch(arg0, arg1)
|
||||
if span != nil {
|
||||
tracing.SetSpanStatus(span, ret1)
|
||||
}
|
||||
return ret0, ret1
|
||||
}
|
|
@ -3,7 +3,7 @@ package api
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
@ -43,7 +43,7 @@ type RuleResponse struct {
|
|||
// podSecurityChecks contains pod security checks (only if this is a pod security rule)
|
||||
podSecurityChecks *PodSecurityChecks
|
||||
// exception is the exception applied (if any)
|
||||
exception *kyvernov2beta1.PolicyException
|
||||
exception *kyvernov2.PolicyException
|
||||
}
|
||||
|
||||
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse {
|
||||
|
@ -78,7 +78,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse {
|
|||
return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
|
||||
}
|
||||
|
||||
func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse {
|
||||
func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse {
|
||||
r.exception = exception
|
||||
return &r
|
||||
}
|
||||
|
@ -109,7 +109,7 @@ func (r *RuleResponse) Stats() ExecutionStats {
|
|||
return r.stats
|
||||
}
|
||||
|
||||
func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException {
|
||||
func (r *RuleResponse) Exception() *kyvernov2.PolicyException {
|
||||
return r.exception
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
)
|
||||
|
||||
|
@ -14,4 +14,4 @@ type NamespacedResourceSelector[T any] interface {
|
|||
}
|
||||
|
||||
// PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
|
||||
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException]
|
||||
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2.PolicyException]
|
||||
|
|
|
@ -4,7 +4,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
@ -13,8 +13,8 @@ import (
|
|||
func (e *engine) GetPolicyExceptions(
|
||||
policy kyvernov1.PolicyInterface,
|
||||
rule string,
|
||||
) ([]kyvernov2beta1.PolicyException, error) {
|
||||
var exceptions []kyvernov2beta1.PolicyException
|
||||
) ([]kyvernov2.PolicyException, error) {
|
||||
var exceptions []kyvernov2.PolicyException
|
||||
if e.exceptionSelector == nil {
|
||||
return exceptions, nil
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
@ -18,7 +18,7 @@ type Handler interface {
|
|||
unstructured.Unstructured,
|
||||
kyvernov1.Rule,
|
||||
engineapi.EngineContextLoader,
|
||||
[]kyvernov2beta1.PolicyException,
|
||||
[]kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse)
|
||||
}
|
||||
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
|
@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -6,7 +6,7 @@ import (
|
|||
json_patch "github.com/evanphx/json-patch/v5"
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
|
@ -69,7 +69,7 @@ func (h mutateImageHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/mutate"
|
||||
|
@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
|
@ -43,7 +43,7 @@ func (h validateCELHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
if engineutils.IsDeleteRequest(policyContext) {
|
||||
logger.V(3).Info("skipping CEL validation on deleted resource")
|
||||
|
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
|
@ -44,7 +44,7 @@ func (h validateImageHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -15,7 +15,7 @@ import (
|
|||
"github.com/ghodss/yaml"
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
|
@ -57,7 +57,7 @@ func (h validateManifestHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -7,7 +7,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
|
@ -33,7 +33,7 @@ func (h validatePssHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -9,7 +9,7 @@ import (
|
|||
"github.com/go-logr/logr"
|
||||
gojmespath "github.com/kyverno/go-jmespath"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
|
@ -38,7 +38,7 @@ func (h validateResourceHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
@ -2,7 +2,7 @@ package utils
|
|||
|
||||
import (
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/utils/conditions"
|
||||
matched "github.com/kyverno/kyverno/pkg/utils/match"
|
||||
|
@ -11,10 +11,10 @@ import (
|
|||
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
|
||||
// It returns the matched policy exception.
|
||||
func MatchesException(
|
||||
polexs []kyvernov2beta1.PolicyException,
|
||||
polexs []kyvernov2.PolicyException,
|
||||
policyContext engineapi.PolicyContext,
|
||||
logger logr.Logger,
|
||||
) *kyvernov2beta1.PolicyException {
|
||||
) *kyvernov2.PolicyException {
|
||||
gvk, subresource := policyContext.ResourceKind()
|
||||
resource := policyContext.NewResource()
|
||||
if resource.Object == nil {
|
||||
|
|
|
@ -3,20 +3,20 @@ package admission
|
|||
import (
|
||||
"encoding/json"
|
||||
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) {
|
||||
var exception *kyvernov2beta1.PolicyException
|
||||
func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) {
|
||||
var exception *kyvernov2.PolicyException
|
||||
if err := json.Unmarshal(raw, &exception); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return exception, nil
|
||||
}
|
||||
|
||||
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) {
|
||||
var empty *kyvernov2beta1.PolicyException
|
||||
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) {
|
||||
var empty *kyvernov2.PolicyException
|
||||
exception, err := UnmarshalPolicyException(request.Object.Raw)
|
||||
if err != nil {
|
||||
return exception, empty, err
|
||||
|
|
|
@ -4,7 +4,7 @@ import (
|
|||
"context"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -18,7 +18,7 @@ type ValidationOptions struct {
|
|||
}
|
||||
|
||||
// Validate checks policy exception is valid
|
||||
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) {
|
||||
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) {
|
||||
var warnings []string
|
||||
if !opts.Enabled {
|
||||
warnings = append(warnings, disabledPolex)
|
||||
|
|
|
@ -26,7 +26,7 @@ func Test_Validate(t *testing.T) {
|
|||
Enabled: false,
|
||||
Namespace: "kyverno",
|
||||
},
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
},
|
||||
want: 1,
|
||||
},
|
||||
|
@ -37,7 +37,7 @@ func Test_Validate(t *testing.T) {
|
|||
Enabled: true,
|
||||
Namespace: "kyverno",
|
||||
},
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
},
|
||||
want: 1,
|
||||
},
|
||||
|
@ -48,7 +48,7 @@ func Test_Validate(t *testing.T) {
|
|||
Enabled: true,
|
||||
Namespace: "kyverno",
|
||||
},
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
},
|
||||
want: 0,
|
||||
},
|
||||
|
@ -59,7 +59,7 @@ func Test_Validate(t *testing.T) {
|
|||
Enabled: true,
|
||||
Namespace: "",
|
||||
},
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||
},
|
||||
want: 0,
|
||||
},
|
||||
|
|
|
@ -39,7 +39,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
|||
dclient := dclient.NewEmptyFakeClient()
|
||||
configuration := config.NewDefaultConfiguration(false)
|
||||
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
||||
peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister()
|
||||
peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister()
|
||||
jp := jmespath.New(configuration)
|
||||
rclient := registryclient.NewOrDie()
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: delta-exception
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: polex-right
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: polex-wrong
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: container-exception
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: policy-exception-allow-latest
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
apiVersion: v1
|
||||
involvedObject:
|
||||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
name: policy-exception-allow-latest
|
||||
namespace: policy-exception-events-creation-polex-ns
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: label-exception
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: mynewpolex
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: allow-scaling-nginx-test
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
apiVersion: kyverno.io/v2
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: allow-scaling-nginx-test
|
||||
|
|
Loading…
Add table
Reference in a new issue