744 deny all requests

definitions/install.yaml

@@ -209,13 +209,17 @@ spec:
                       anyPattern:
                         AnyValue: {}
                       deny:
-                        type: array
-                        items:
-                          type: object
-                          required:
-                            - key  # can be of any type
-                            - operator # typed
-                            - value # can be of any type
+                        properties:
+                          allRequests:
+                            type: boolean
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
                   generate:
                     type: object
                     required:

definitions/install_debug.yaml

@@ -209,13 +209,17 @@ spec:
                       anyPattern:
                         AnyValue: {}
                       deny:
-                        type: array
-                        items:
-                          type: object
-                          required:
-                            - key  # can be of any type
-                            - operator # typed
-                            - value # can be of any type
+                        properties:
+                          allRequests:
+                            type: boolean
+                          conditions:
+                            type: array
+                            items:
+                              type: object
+                              required:
+                                - key  # can be of any type
+                                - operator # typed
+                                - value # can be of any type
                   generate:
                     type: object
                     required:

pkg/api/kyverno/v1/types.go

@@ -211,7 +211,12 @@ type Validation struct {
 	Message    string        `json:"message,omitempty"`
 	Pattern    interface{}   `json:"pattern,omitempty"`
 	AnyPattern []interface{} `json:"anyPattern,omitempty"`
-	Deny       []Condition   `json:"deny,omitempty"`
+	Deny       *Deny         `json:"deny,omitempty"`
+}
+
+type Deny struct {
+	AllRequests bool        `json:"allRequests,omitempty"`
+	Conditions  []Condition `json:"conditions,omitempty"`
 }
 
 // Generation describes which resources will be created when other resource is created

pkg/engine/validation.go

@@ -110,8 +110,8 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 		}
 
 		if rule.Validation.Deny != nil {
-			denyConditionsCopy := copyConditions(rule.Validation.Deny)
-			if !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
+			if rule.Validation.Deny.AllRequests || !variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
 				ruleResp := response.RuleResponse{
 					Name:    rule.Name,
 					Type:    utils.Validation.String(),

pkg/policy/validate/validate.go

@@ -49,7 +49,7 @@ func (v *Validate) Validate() (string, error) {
 // validateOverlayPattern checks one of pattern/anyPattern must exist
 func (v *Validate) validateOverlayPattern() error {
 	rule := v.rule
-	if rule.Pattern == nil && len(rule.AnyPattern) == 0 && len(rule.Deny) == 0 {
+	if rule.Pattern == nil && len(rule.AnyPattern) == 0 && rule.Deny == nil {
 		return fmt.Errorf("a pattern or anyPattern or deny must be specified")
 	}