diff --git a/definitions/install.yaml b/definitions/install.yaml index d85ad4574d..5a4db02cf5 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -209,13 +209,17 @@ spec: anyPattern: AnyValue: {} deny: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type + properties: + allRequests: + type: boolean + conditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type generate: type: object required: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 6984c76187..eddfe71a8e 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -209,13 +209,17 @@ spec: anyPattern: AnyValue: {} deny: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type + properties: + allRequests: + type: boolean + conditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type generate: type: object required: diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go index c85fe9a1a7..a05adb96e4 100644 --- a/pkg/api/kyverno/v1/types.go +++ b/pkg/api/kyverno/v1/types.go @@ -211,7 +211,12 @@ type Validation struct { Message string `json:"message,omitempty"` Pattern interface{} `json:"pattern,omitempty"` AnyPattern []interface{} `json:"anyPattern,omitempty"` - Deny []Condition `json:"deny,omitempty"` + Deny *Deny `json:"deny,omitempty"` +} + +type Deny struct { + AllRequests bool `json:"allRequests,omitempty"` + Conditions []Condition `json:"conditions,omitempty"` } // Generation describes which resources will be created when other resource is created diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 87ff85dc69..0cd89e09da 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -110,8 +110,8 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno } if rule.Validation.Deny != nil { - denyConditionsCopy := copyConditions(rule.Validation.Deny) - if !variables.EvaluateConditions(log, ctx, denyConditionsCopy) { + denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions) + if rule.Validation.Deny.AllRequests || !variables.EvaluateConditions(log, ctx, denyConditionsCopy) { ruleResp := response.RuleResponse{ Name: rule.Name, Type: utils.Validation.String(), diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go index 1e705758aa..d120422d9d 100644 --- a/pkg/policy/validate/validate.go +++ b/pkg/policy/validate/validate.go @@ -49,7 +49,7 @@ func (v *Validate) Validate() (string, error) { // validateOverlayPattern checks one of pattern/anyPattern must exist func (v *Validate) validateOverlayPattern() error { rule := v.rule - if rule.Pattern == nil && len(rule.AnyPattern) == 0 && len(rule.Deny) == 0 { + if rule.Pattern == nil && len(rule.AnyPattern) == 0 && rule.Deny == nil { return fmt.Errorf("a pattern or anyPattern or deny must be specified") }