mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
chore: use v2 clients for policy exceptions (#10530)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
e892a0531e
commit
94d9bbe73f
31 changed files with 105 additions and 102 deletions
|
|
@ -101,6 +101,11 @@ func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)
|
|||
for i, e := range p.Exceptions {
|
||||
errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
|
||||
}
|
||||
|
||||
podSecuityPath := path.Child("podSecurity")
|
||||
for i, p := range p.PodSecurity {
|
||||
errs = append(errs, p.Validate(podSecuityPath.Index(i))...)
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ import (
|
|||
"github.com/go-git/go-billy/v5/memfs"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception"
|
||||
|
|
@ -167,7 +166,7 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul
|
|||
if err != nil {
|
||||
return rc, resources1, skipInvalidPolicies, responses1, err
|
||||
}
|
||||
var exceptions []*kyvernov2beta1.PolicyException
|
||||
var exceptions []*kyvernov2.PolicyException
|
||||
if c.inlineExceptions {
|
||||
exceptions = exception.SelectFrom(resources)
|
||||
} else {
|
||||
|
|
@ -260,7 +259,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
|
|||
vars *variables.Variables,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
resources []*unstructured.Unstructured,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
skipInvalidPolicies *SkippedInvalidPolicies,
|
||||
dClient dclient.Interface,
|
||||
userInfo *kyvernov2.RequestInfo,
|
||||
|
|
|
|||
|
|
@ -21,8 +21,8 @@ var (
|
|||
exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
|
||||
)
|
||||
|
||||
func Load(paths ...string) ([]*kyvernov2beta1.PolicyException, error) {
|
||||
var out []*kyvernov2beta1.PolicyException
|
||||
func Load(paths ...string) ([]*kyvernov2.PolicyException, error) {
|
||||
var out []*kyvernov2.PolicyException
|
||||
for _, path := range paths {
|
||||
bytes, err := os.ReadFile(filepath.Clean(path))
|
||||
if err != nil {
|
||||
|
|
@ -37,12 +37,12 @@ func Load(paths ...string) ([]*kyvernov2beta1.PolicyException, error) {
|
|||
return out, nil
|
||||
}
|
||||
|
||||
func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
|
||||
func load(content []byte) ([]*kyvernov2.PolicyException, error) {
|
||||
documents, err := yamlutils.SplitDocuments(content)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var exceptions []*kyvernov2beta1.PolicyException
|
||||
var exceptions []*kyvernov2.PolicyException
|
||||
crds, err := data.Crds()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -60,7 +60,7 @@ func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
|
|||
}
|
||||
switch gvk {
|
||||
case exceptionV2beta1, exceptionV2:
|
||||
exception, err := convert.To[kyvernov2beta1.PolicyException](untyped)
|
||||
exception, err := convert.To[kyvernov2.PolicyException](untyped)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -72,12 +72,12 @@ func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
|
|||
return exceptions, nil
|
||||
}
|
||||
|
||||
func SelectFrom(resources []*unstructured.Unstructured) []*kyvernov2beta1.PolicyException {
|
||||
var exceptions []*kyvernov2beta1.PolicyException
|
||||
func SelectFrom(resources []*unstructured.Unstructured) []*kyvernov2.PolicyException {
|
||||
var exceptions []*kyvernov2.PolicyException
|
||||
for _, resource := range resources {
|
||||
switch resource.GroupVersionKind() {
|
||||
case exceptionV2beta1, exceptionV2:
|
||||
exception, err := convert.To[kyvernov2beta1.PolicyException](*resource)
|
||||
exception, err := convert.To[kyvernov2.PolicyException](*resource)
|
||||
if err == nil {
|
||||
exceptions = append(exceptions, exception)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,16 +1,16 @@
|
|||
package processor
|
||||
|
||||
import (
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
)
|
||||
|
||||
type policyExceptionLister struct {
|
||||
exceptions []*kyvernov2beta1.PolicyException
|
||||
exceptions []*kyvernov2.PolicyException
|
||||
}
|
||||
|
||||
func (l *policyExceptionLister) List(selector labels.Selector) ([]*kyvernov2beta1.PolicyException, error) {
|
||||
var out []*kyvernov2beta1.PolicyException
|
||||
func (l *policyExceptionLister) List(selector labels.Selector) ([]*kyvernov2.PolicyException, error) {
|
||||
var out []*kyvernov2.PolicyException
|
||||
for _, exception := range l.exceptions {
|
||||
exceptionLabels := labels.Set(exception.GetLabels())
|
||||
if selector.Matches(exceptionLabels) {
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ import (
|
|||
json_patch "github.com/evanphx/json-patch/v5"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/log"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/store"
|
||||
|
|
@ -40,7 +39,7 @@ type PolicyProcessor struct {
|
|||
Store *store.Store
|
||||
Policies []kyvernov1.PolicyInterface
|
||||
Resource unstructured.Unstructured
|
||||
PolicyExceptions []*kyvernov2beta1.PolicyException
|
||||
PolicyExceptions []*kyvernov2.PolicyException
|
||||
MutateLogPath string
|
||||
MutateLogPathIsDir bool
|
||||
Variables *variables.Variables
|
||||
|
|
|
|||
|
|
@ -68,7 +68,7 @@ func NewExceptionSelector(
|
|||
polexCache := exceptioncontroller.NewController(
|
||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||
kyvernoInformer.Kyverno().V1().Policies(),
|
||||
kyvernoInformer.Kyverno().V2beta1().PolicyExceptions(),
|
||||
kyvernoInformer.Kyverno().V2().PolicyExceptions(),
|
||||
exceptionNamespace,
|
||||
)
|
||||
polexController := NewController(
|
||||
|
|
|
|||
|
|
@ -221,7 +221,7 @@ func createrLeaderControllers(
|
|||
kyvernoClient,
|
||||
dynamicClient.Discovery(),
|
||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||
kyvernoInformer.Kyverno().V2beta1().PolicyExceptions(),
|
||||
kyvernoInformer.Kyverno().V2().PolicyExceptions(),
|
||||
kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
|
||||
kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings(),
|
||||
eventGenerator,
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ func createReportControllers(
|
|||
vapBindingInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings()
|
||||
}
|
||||
kyvernoV1 := kyvernoInformer.Kyverno().V1()
|
||||
kyvernoV2beta1 := kyvernoInformer.Kyverno().V2beta1()
|
||||
kyvernoV2 := kyvernoInformer.Kyverno().V2()
|
||||
if backgroundScan || admissionReports {
|
||||
resourceReportController := resourcereportcontroller.NewController(
|
||||
client,
|
||||
|
|
@ -114,7 +114,7 @@ func createReportControllers(
|
|||
metadataFactory,
|
||||
kyvernoV1.Policies(),
|
||||
kyvernoV1.ClusterPolicies(),
|
||||
kyvernoV2beta1.PolicyExceptions(),
|
||||
kyvernoV2.PolicyExceptions(),
|
||||
vapInformer,
|
||||
vapBindingInformer,
|
||||
kubeInformer.Core().V1().Namespaces(),
|
||||
|
|
|
|||
|
|
@ -9,12 +9,12 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
|
||||
kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
|
||||
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
|
||||
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
|
|
@ -22,7 +22,7 @@ import (
|
|||
"k8s.io/client-go/util/workqueue"
|
||||
)
|
||||
|
||||
type ruleIndex = map[string][]*kyvernov2beta1.PolicyException
|
||||
type ruleIndex = map[string][]*kyvernov2.PolicyException
|
||||
|
||||
type policyIndex = map[string]ruleIndex
|
||||
|
||||
|
|
@ -30,7 +30,7 @@ type controller struct {
|
|||
// listers
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
polLister kyvernov1listers.PolicyLister
|
||||
polexLister kyvernov2beta1listers.PolicyExceptionLister
|
||||
polexLister kyvernov2listers.PolicyExceptionLister
|
||||
|
||||
// queue
|
||||
queue workqueue.RateLimitingInterface
|
||||
|
|
@ -50,7 +50,7 @@ const (
|
|||
func NewController(
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
polInformer kyvernov1informers.PolicyInformer,
|
||||
polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
|
||||
polexInformer kyvernov2informers.PolicyExceptionInformer,
|
||||
namespace string,
|
||||
) *controller {
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
|
||||
|
|
@ -78,13 +78,13 @@ func (c *controller) Run(ctx context.Context, workers int) {
|
|||
controllerutils.Run(ctx, logger.V(3), ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile)
|
||||
}
|
||||
|
||||
func (c *controller) Find(policyName string, ruleName string) ([]*kyvernov2beta1.PolicyException, error) {
|
||||
func (c *controller) Find(policyName string, ruleName string) ([]*kyvernov2.PolicyException, error) {
|
||||
c.lock.RLock()
|
||||
defer c.lock.RUnlock()
|
||||
return c.index[policyName][ruleName], nil
|
||||
}
|
||||
|
||||
func (c *controller) addPolex(polex *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) addPolex(polex *kyvernov2.PolicyException) {
|
||||
names := sets.New[string]()
|
||||
for _, ex := range polex.Spec.Exceptions {
|
||||
names.Insert(ex.PolicyName)
|
||||
|
|
@ -94,7 +94,7 @@ func (c *controller) addPolex(polex *kyvernov2beta1.PolicyException) {
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) updatePolex(old *kyvernov2beta1.PolicyException, new *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) updatePolex(old *kyvernov2.PolicyException, new *kyvernov2.PolicyException) {
|
||||
names := sets.New[string]()
|
||||
for _, ex := range old.Spec.Exceptions {
|
||||
names.Insert(ex.PolicyName)
|
||||
|
|
@ -107,7 +107,7 @@ func (c *controller) updatePolex(old *kyvernov2beta1.PolicyException, new *kyver
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) deletePolex(polex *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) deletePolex(polex *kyvernov2.PolicyException) {
|
||||
names := sets.New[string]()
|
||||
for _, ex := range polex.Spec.Exceptions {
|
||||
names.Insert(ex.PolicyName)
|
||||
|
|
@ -133,7 +133,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) listExceptions() ([]*kyvernov2beta1.PolicyException, error) {
|
||||
func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
|
||||
if c.namespace == "" {
|
||||
return c.polexLister.List(labels.Everything())
|
||||
}
|
||||
|
|
@ -145,7 +145,7 @@ func (c *controller) buildRuleIndex(key string, policy kyvernov1.PolicyInterface
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
slices.SortFunc(polexList, func(a, b *kyvernov2beta1.PolicyException) int {
|
||||
slices.SortFunc(polexList, func(a, b *kyvernov2.PolicyException) int {
|
||||
if cmp := cmp.Compare(a.Namespace, b.Namespace); cmp != 0 {
|
||||
return cmp
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,14 +6,14 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
|
||||
kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
|
||||
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
|
||||
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/controllers"
|
||||
|
|
@ -57,7 +57,7 @@ type controller struct {
|
|||
// listers
|
||||
polLister kyvernov1listers.PolicyLister
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
polexLister kyvernov2beta1listers.PolicyExceptionLister
|
||||
polexLister kyvernov2listers.PolicyExceptionLister
|
||||
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
|
||||
vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
|
||||
bgscanrLister cache.GenericLister
|
||||
|
|
@ -85,7 +85,7 @@ func NewController(
|
|||
metadataFactory metadatainformers.SharedInformerFactory,
|
||||
polInformer kyvernov1informers.PolicyInformer,
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
|
||||
polexInformer kyvernov2informers.PolicyExceptionInformer,
|
||||
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
|
||||
nsInformer corev1informers.NamespaceInformer,
|
||||
|
|
@ -171,17 +171,17 @@ func (c *controller) deletePolicy(obj kyvernov1.PolicyInterface) {
|
|||
c.enqueueResources()
|
||||
}
|
||||
|
||||
func (c *controller) addException(obj *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) addException(obj *kyvernov2.PolicyException) {
|
||||
c.enqueueResources()
|
||||
}
|
||||
|
||||
func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) updateException(old, obj *kyvernov2.PolicyException) {
|
||||
if old.GetResourceVersion() != obj.GetResourceVersion() {
|
||||
c.enqueueResources()
|
||||
}
|
||||
}
|
||||
|
||||
func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
|
||||
c.enqueueResources()
|
||||
}
|
||||
|
||||
|
|
@ -243,7 +243,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2beta1.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
|
||||
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
|
||||
// if the reportMetadata does not exist, we need a full reconcile
|
||||
reportMetadata, err := c.getMeta(namespace, name)
|
||||
if err != nil {
|
||||
|
|
@ -302,7 +302,7 @@ func (c *controller) reconcileReport(
|
|||
uid types.UID,
|
||||
gvk schema.GroupVersionKind,
|
||||
resource resource.Resource,
|
||||
exceptions []kyvernov2beta1.PolicyException,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding,
|
||||
policies ...engineapi.GenericPolicy,
|
||||
) error {
|
||||
|
|
|
|||
|
|
@ -3,11 +3,11 @@ package utils
|
|||
import (
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
|
||||
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
||||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
|
|
@ -111,8 +111,8 @@ func FetchPolicies(polLister kyvernov1listers.PolicyLister, namespace string) ([
|
|||
return policies, nil
|
||||
}
|
||||
|
||||
func FetchPolicyExceptions(polexLister kyvernov2beta1listers.PolicyExceptionLister, namespace string) ([]kyvernov2beta1.PolicyException, error) {
|
||||
var exceptions []kyvernov2beta1.PolicyException
|
||||
func FetchPolicyExceptions(polexLister kyvernov2listers.PolicyExceptionLister, namespace string) ([]kyvernov2.PolicyException, error) {
|
||||
var exceptions []kyvernov2.PolicyException
|
||||
if polexs, err := polexLister.PolicyExceptions(namespace).List(labels.Everything()); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -7,13 +7,13 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/auth/checker"
|
||||
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
|
||||
kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2"
|
||||
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
|
||||
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/controllers"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
|
|
@ -48,7 +48,7 @@ type controller struct {
|
|||
|
||||
// listers
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
polexLister kyvernov2beta1listers.PolicyExceptionLister
|
||||
polexLister kyvernov2listers.PolicyExceptionLister
|
||||
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
|
||||
vapbindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
|
||||
|
||||
|
|
@ -64,7 +64,7 @@ func NewController(
|
|||
kyvernoClient versioned.Interface,
|
||||
discoveryClient dclient.IDiscovery,
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
|
||||
polexInformer kyvernov2informers.PolicyExceptionInformer,
|
||||
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapbindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
|
||||
eventGen event.Interface,
|
||||
|
|
@ -148,12 +148,12 @@ func (c *controller) enqueuePolicy(obj kyvernov1.PolicyInterface) {
|
|||
c.queue.Add(key)
|
||||
}
|
||||
|
||||
func (c *controller) addException(obj *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) addException(obj *kyvernov2.PolicyException) {
|
||||
logger.Info("policy exception created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName())
|
||||
c.enqueueException(obj)
|
||||
}
|
||||
|
||||
func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) updateException(old, obj *kyvernov2.PolicyException) {
|
||||
if datautils.DeepEqual(old.Spec, obj.Spec) {
|
||||
return
|
||||
}
|
||||
|
|
@ -161,14 +161,14 @@ func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
|
|||
c.enqueueException(obj)
|
||||
}
|
||||
|
||||
func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) {
|
||||
polex := kubeutils.GetObjectWithTombstone(obj).(*kyvernov2beta1.PolicyException)
|
||||
func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
|
||||
polex := kubeutils.GetObjectWithTombstone(obj).(*kyvernov2.PolicyException)
|
||||
|
||||
logger.Info("policy exception deleted", "uid", polex.GetUID(), "kind", polex.GetKind(), "name", polex.GetName())
|
||||
c.enqueueException(obj)
|
||||
}
|
||||
|
||||
func (c *controller) enqueueException(obj *kyvernov2beta1.PolicyException) {
|
||||
func (c *controller) enqueueException(obj *kyvernov2.PolicyException) {
|
||||
for _, exception := range obj.Spec.Exceptions {
|
||||
// skip adding namespaced policies in the queue.
|
||||
// skip adding policies with multiple rules in the queue.
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ package api
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -44,7 +44,7 @@ type RuleResponse struct {
|
|||
// podSecurityChecks contains pod security checks (only if this is a pod security rule)
|
||||
podSecurityChecks *PodSecurityChecks
|
||||
// exception is the exception applied (if any)
|
||||
exception *kyvernov2beta1.PolicyException
|
||||
exception *kyvernov2.PolicyException
|
||||
// binding is the validatingadmissionpolicybinding (if any)
|
||||
binding *v1alpha1.ValidatingAdmissionPolicyBinding
|
||||
// emitWarning enable passing rule message as warning to api server warning header
|
||||
|
|
@ -88,7 +88,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse {
|
|||
return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
|
||||
}
|
||||
|
||||
func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse {
|
||||
func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse {
|
||||
r.exception = exception
|
||||
return &r
|
||||
}
|
||||
|
|
@ -129,7 +129,7 @@ func (r *RuleResponse) Stats() ExecutionStats {
|
|||
return r.stats
|
||||
}
|
||||
|
||||
func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException {
|
||||
func (r *RuleResponse) Exception() *kyvernov2.PolicyException {
|
||||
return r.exception
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
package api
|
||||
|
||||
import (
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
)
|
||||
|
||||
// PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
|
||||
type PolicyExceptionSelector interface {
|
||||
// Find returns policy exceptions matching a given policy name and rule name.
|
||||
// Objects returned here must be treated as read-only.
|
||||
Find(string, string) ([]*kyvernov2beta1.PolicyException, error)
|
||||
Find(string, string) ([]*kyvernov2.PolicyException, error)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ package engine
|
|||
|
||||
import (
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
|
|
@ -10,7 +10,7 @@ import (
|
|||
func (e *engine) GetPolicyExceptions(
|
||||
policy kyvernov1.PolicyInterface,
|
||||
rule string,
|
||||
) ([]*kyvernov2beta1.PolicyException, error) {
|
||||
) ([]*kyvernov2.PolicyException, error) {
|
||||
if e.exceptionSelector == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
|
@ -18,7 +18,7 @@ type Handler interface {
|
|||
unstructured.Unstructured,
|
||||
kyvernov1.Rule,
|
||||
engineapi.EngineContextLoader,
|
||||
[]*kyvernov2beta1.PolicyException,
|
||||
[]*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
|
|
@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
json_patch "github.com/evanphx/json-patch/v5"
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
|
|
@ -66,7 +66,7 @@ func (h mutateImageHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/mutate"
|
||||
|
|
@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
|
|
@ -45,7 +45,7 @@ func (h validateCELHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
if engineutils.IsDeleteRequest(policyContext) {
|
||||
logger.V(3).Info("skipping CEL validation on deleted resource")
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
|
|
@ -45,7 +45,7 @@ func (h validateImageHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import (
|
|||
"github.com/ghodss/yaml"
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
|
|
@ -57,7 +57,7 @@ func (h validateManifestHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
|
|
@ -37,7 +37,7 @@ func (h validatePssHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
_ engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
if engineutils.IsDeleteRequest(policyContext) {
|
||||
logger.V(3).Info("skipping PSS validation on deleted resource")
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
"github.com/go-logr/logr"
|
||||
gojmespath "github.com/kyverno/go-jmespath"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
|
|
@ -38,7 +38,7 @@ func (h validateResourceHandler) Process(
|
|||
resource unstructured.Unstructured,
|
||||
rule kyvernov1.Rule,
|
||||
contextLoader engineapi.EngineContextLoader,
|
||||
exceptions []*kyvernov2beta1.PolicyException,
|
||||
exceptions []*kyvernov2.PolicyException,
|
||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||
// check if there is a policy exception matches the incoming resource
|
||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import (
|
|||
|
||||
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
|
||||
// It returns the matched policy exception.
|
||||
func MatchesException(polexs []*kyvernov2beta1.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2beta1.PolicyException {
|
||||
func MatchesException(polexs []*kyvernov2.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2.PolicyException {
|
||||
gvk, subresource := policyContext.ResourceKind()
|
||||
resource := policyContext.NewResource()
|
||||
if resource.Object == nil {
|
||||
|
|
|
|||
|
|
@ -1,12 +1,12 @@
|
|||
package exceptions
|
||||
|
||||
import (
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
)
|
||||
|
||||
type Lister interface {
|
||||
List(labels.Selector) ([]*kyvernov2beta1.PolicyException, error)
|
||||
List(labels.Selector) ([]*kyvernov2.PolicyException, error)
|
||||
}
|
||||
|
||||
type selector struct {
|
||||
|
|
@ -19,12 +19,12 @@ func New(lister Lister) selector {
|
|||
}
|
||||
}
|
||||
|
||||
func (s selector) Find(policyName string, ruleName string) ([]*kyvernov2beta1.PolicyException, error) {
|
||||
func (s selector) Find(policyName string, ruleName string) ([]*kyvernov2.PolicyException, error) {
|
||||
polexs, err := s.lister.List(labels.Everything())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var results []*kyvernov2beta1.PolicyException
|
||||
var results []*kyvernov2.PolicyException
|
||||
for _, polex := range polexs {
|
||||
if polex.Contains(policyName, ruleName) {
|
||||
results = append(results, polex)
|
||||
|
|
|
|||
|
|
@ -1,21 +1,21 @@
|
|||
package admission
|
||||
|
||||
import (
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"k8s.io/apimachinery/pkg/util/json"
|
||||
)
|
||||
|
||||
func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) {
|
||||
var exception *kyvernov2beta1.PolicyException
|
||||
func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) {
|
||||
var exception *kyvernov2.PolicyException
|
||||
if err := json.Unmarshal(raw, &exception); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return exception, nil
|
||||
}
|
||||
|
||||
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) {
|
||||
var empty *kyvernov2beta1.PolicyException
|
||||
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) {
|
||||
var empty *kyvernov2.PolicyException
|
||||
exception, err := UnmarshalPolicyException(request.Object.Raw)
|
||||
if err != nil {
|
||||
return exception, empty, err
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
"k8s.io/apimachinery/pkg/util/json"
|
||||
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
|
@ -56,7 +56,7 @@ func TestUnmarshalPolicyException(t *testing.T) {
|
|||
if err != nil {
|
||||
t.Errorf("Unexpected error: %v", err)
|
||||
}
|
||||
var exception *kyvernov2beta1.PolicyException
|
||||
var exception *kyvernov2.PolicyException
|
||||
json.Unmarshal(test.raw, &exception)
|
||||
if !reflect.DeepEqual(result, exception) {
|
||||
t.Errorf("Expected %+v, got %+v", exception, result)
|
||||
|
|
@ -155,7 +155,7 @@ func TestGetPolicyExceptions(t *testing.T) {
|
|||
for _, test := range testCases {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
p1, p2, _ := GetPolicyExceptions(test.args.request)
|
||||
var empty *kyvernov2beta1.PolicyException
|
||||
var empty *kyvernov2.PolicyException
|
||||
expectedP1, err := UnmarshalPolicyException(test.args.request.Object.Raw)
|
||||
if err != nil {
|
||||
expectedP2 := empty
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
|
|
@ -85,7 +85,7 @@ func PolicyLabel(policy engineapi.GenericPolicy) string {
|
|||
return PolicyLabelPrefix(policy) + policy.GetName()
|
||||
}
|
||||
|
||||
func PolicyExceptionLabel(exception kyvernov2beta1.PolicyException) string {
|
||||
func PolicyExceptionLabel(exception kyvernov2.PolicyException) string {
|
||||
return LabelPrefixPolicyException + exception.GetName()
|
||||
}
|
||||
|
||||
|
|
@ -164,7 +164,7 @@ func SetPolicyLabel(report reportsv1.ReportInterface, policy engineapi.GenericPo
|
|||
controllerutils.SetLabel(report, PolicyLabel(policy), policy.GetResourceVersion())
|
||||
}
|
||||
|
||||
func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyvernov2beta1.PolicyException) {
|
||||
func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyvernov2.PolicyException) {
|
||||
controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ import (
|
|||
"context"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -18,7 +18,7 @@ type ValidationOptions struct {
|
|||
}
|
||||
|
||||
// Validate checks policy exception is valid
|
||||
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) {
|
||||
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) {
|
||||
var warnings []string
|
||||
if !opts.Enabled {
|
||||
warnings = append(warnings, disabledPolex)
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) *resour
|
|||
dclient := dclient.NewEmptyFakeClient()
|
||||
configuration := config.NewDefaultConfiguration(false)
|
||||
urLister := kyvernoInformers.Kyverno().V2().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
||||
peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister()
|
||||
peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister()
|
||||
jp := jmespath.New(configuration)
|
||||
rclient := registryclient.NewOrDie()
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue