mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

Selector with mutate target (#11208)

Browse source 
* feature: Add LabelSelector as a field of resource spec to allow fetching by labels

Signed-off-by: aerosouund <aerosound161@gmail.com>

* chore: Generate CRDs

Signed-off-by: aerosouund <aerosound161@gmail.com>

* feat: Add the capability to fetch with label selector

- Add the label selector as a parameter to GetResources of the engine api client and the dclient.
- Use the label selector with list options in the dclient.
- convert a metav1.LabelSelector to a labels.Selector before fetching to be able to convert it to a string to be used with ListOptions.

Signed-off-by: aerosouund <aerosound161@gmail.com>

* feat: Pass label selector to the GetResources method

Signed-off-by: aerosouund <aerosound161@gmail.com>

* feat: Return the resource selector when resolving spec

Signed-off-by: aerosouund <aerosound161@gmail.com>

* fix: Instantiate the fake client schema using the passed gvrToListKind map and by inferring schema from passed resources

All tests that use List will fail because the fake client doesn't infer the schema from the passed resources.
gvrToListKind can't be fully deprecated as some parts of kyverno use the fake client without passing resources to it (resource generation). And so both approaches have to be supported.

References:
- https://github.com/kubernetes/client-go/issues/983
- 46c1ad3baa

Signed-off-by: aerosouund <aerosound161@gmail.com>

* test: Add labelSelector unit test to mutate existing test.

- Remove the unwanted call to GetResource.
- Pass an empty map of GVR to string to the fake client constructor.

Signed-off-by: aerosouund <aerosound161@gmail.com>

* test: Add chainsaw test

Signed-off-by: aerosouund <aerosound161@gmail.com>

* chore: Run codegen

Signed-off-by: aerosouund <aerosound161@gmail.com>

* chore: Generate helm CRDs

Signed-off-by: aerosouund <aerosound161@gmail.com>

* refactor: Put the LabelSelector in a separate struct

Many types use the ResourceSpec struct and not all of them support label selectors.
This removes the field into a separate schema dedicated to target selection called TargetSelector.
It has the ResourceSpec and the selector.

Signed-off-by: aerosouund <aerosound161@gmail.com>

* chore: Run codegen after modifying selector comment

Signed-off-by: aerosouund <aerosound161@gmail.com>

* chore: Run codegen

Signed-off-by: aerosouund <aerosound161@gmail.com>

---------

Signed-off-by: aerosouund <aerosound161@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Ammar Yasser 2024-10-16 14:17:08 +03:00 committed by GitHub
parent d6f7d14e57
commit 9a8e35d787
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
28 changed files with 2181 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
api/kyverno/v1/resource_spec_types.go
View file

@ -3,6 +3,7 @@ package v1
import (
"strings"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
)
@ -39,8 +40,8 @@ func (s ResourceSpec) String() string {
// TargetResourceSpec defines targets for mutating existing resources.
type TargetResourceSpec struct {
// ResourceSpec contains the target resources to load when mutating existing resources.
ResourceSpec `json:",omitempty"`
// TargetSelector contains the ResourceSpec and a label selector to support selecting with labels.
TargetSelector `json:",omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
@ -57,9 +58,19 @@ type TargetResourceSpec struct {
RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty"`
}
type TargetSelector struct {
// ResourceSpec contains the target resources to load when mutating existing resources.
ResourceSpec `json:",omitempty"`
// Selector allows you to select target resources with their labels.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty"`
}
func (r *TargetResourceSpec) GetAnyAllConditions() any {
if r.RawAnyAllConditions == nil {
return nil
}
return r.RawAnyAllConditions.Conditions
}
func (r *TargetResourceSpec) GetSelector() *metav1.LabelSelector { return r.Selector }

24
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -1627,7 +1627,7 @@ func (in *StaticKeyAttestor) DeepCopy() *StaticKeyAttestor {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TargetResourceSpec) DeepCopyInto(out *TargetResourceSpec) {
*out = *in
out.ResourceSpec = in.ResourceSpec
in.TargetSelector.DeepCopyInto(&out.TargetSelector)
if in.Context != nil {
in, out := &in.Context, &out.Context
*out = make([]ContextEntry, len(*in))
@ -1652,6 +1652,28 @@ func (in *TargetResourceSpec) DeepCopy() *TargetResourceSpec {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TargetSelector) DeepCopyInto(out *TargetSelector) {
*out = *in
out.ResourceSpec = in.ResourceSpec
if in.Selector != nil {
in, out := &in.Selector, &out.Selector
*out = new(metav1.LabelSelector)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector.
func (in *TargetSelector) DeepCopy() *TargetSelector {
if in == nil {
return nil
}
out := new(TargetSelector)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *UserInfo) DeepCopyInto(out *UserInfo) {
*out = *in

192
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -2926,6 +2926,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -7987,6 +8035,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -12684,6 +12780,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -17879,6 +18023,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

192
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -2927,6 +2927,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -7989,6 +8037,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -12687,6 +12783,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -17882,6 +18026,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

192
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2920,6 +2920,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -7981,6 +8029,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -12678,6 +12774,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -17873,6 +18017,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

192
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -2921,6 +2921,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -7983,6 +8031,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -12681,6 +12777,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -17876,6 +18020,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

192
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -2920,6 +2920,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -7981,6 +8029,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -12678,6 +12774,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -17873,6 +18017,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

192
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -2921,6 +2921,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -7983,6 +8031,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -12681,6 +12777,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -17876,6 +18020,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

384
config/install-latest-testing.yaml
View file

@ -8313,6 +8313,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -13374,6 +13422,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -18071,6 +18167,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -23266,6 +23410,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -28674,6 +28866,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -33736,6 +33976,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -38434,6 +38722,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string
@ -43629,6 +43965,54 @@ spec:
will be deprecated in the next major release.
See: https://kyverno.io/docs/writing-policies/preconditions/
x-kubernetes-preserve-unknown-fields: true
selector:
description: Selector allows you to select target
resources with their labels.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
uid:
description: UID specifies the resource uid.
type: string

56
docs/user/crd/index.html
View file

@ -3819,7 +3819,7 @@ ResourceDescription
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.GeneratePattern">GeneratePattern</a>,
<a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>,
<a href="#kyverno.io/v1.TargetSelector">TargetSelector</a>,
<a href="#kyverno.io/v1beta1.UpdateRequestSpec">UpdateRequestSpec</a>,
<a href="#kyverno.io/v1beta1.UpdateRequestStatus">UpdateRequestStatus</a>,
<a href="#kyverno.io/v2.RuleContext">RuleContext</a>,
@ -4608,15 +4608,15 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
<tbody>
<tr>
<td>
<code>ResourceSpec</code><br/>
<code>TargetSelector</code><br/>
<em>
<a href="#kyverno.io/v1.ResourceSpec">
ResourceSpec
<a href="#kyverno.io/v1.TargetSelector">
TargetSelector
</a>
</em>
</td>
<td>
<p>ResourceSpec contains the target resources to load when mutating existing resources.</p>
<p>TargetSelector contains the ResourceSpec and a label selector to support selecting with labels.</p>
</td>
</tr>
<tr>
@ -4654,6 +4654,52 @@ See: <a href="https://kyverno.io/docs/writing-policies/preconditions/">https://k
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.TargetSelector">TargetSelector
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.TargetResourceSpec">TargetResourceSpec</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>ResourceSpec</code><br/>
<em>
<a href="#kyverno.io/v1.ResourceSpec">
ResourceSpec
</a>
</em>
</td>
<td>
<p>ResourceSpec contains the target resources to load when mutating existing resources.</p>
</td>
</tr>
<tr>
<td>
<code>selector</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#labelselector-v1-meta">
Kubernetes meta/v1.LabelSelector
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Selector allows you to select target resources with their labels.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.UserInfo">UserInfo
</h3>
<p>

103
docs/user/crd/kyverno.v1.html
View file

@ -7599,7 +7599,7 @@ does not match an empty label set.</p>
<p>
(<em>Appears in:</em>
<a href="#kyverno-io-v1-GeneratePattern">GeneratePattern</a>,
<a href="#kyverno-io-v1-TargetResourceSpec">TargetResourceSpec</a>)
<a href="#kyverno-io-v1-TargetSelector">TargetSelector</a>)
</p>
@ -9298,7 +9298,7 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
<tr>
<td><code>ResourceSpec</code>
<td><code>TargetSelector</code>
<span style="color:blue;"> *</span>
@ -9307,8 +9307,8 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
<a href="#kyverno-io-v1-ResourceSpec">
<span style="font-family: monospace">ResourceSpec</span>
<a href="#kyverno-io-v1-TargetSelector">
<span style="font-family: monospace">TargetSelector</span>
</a>
@ -9316,7 +9316,7 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used
<td>
<p>ResourceSpec contains the target resources to load when mutating existing resources.</p>
<p>TargetSelector contains the ResourceSpec and a label selector to support selecting with labels.</p>
@ -9390,6 +9390,99 @@ See: https://kyverno.io/docs/writing-policies/preconditions/</p>
</tbody>
</table>
<H3 id="kyverno-io-v1-TargetSelector">TargetSelector
</H3>
<p>
(<em>Appears in:</em>
<a href="#kyverno-io-v1-TargetResourceSpec">TargetResourceSpec</a>)
</p>
<p></p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>ResourceSpec</code>
<span style="color:blue;"> *</span>
</br>
<a href="#kyverno-io-v1-ResourceSpec">
<span style="font-family: monospace">ResourceSpec</span>
</a>
</td>
<td>
<p>ResourceSpec contains the target resources to load when mutating existing resources.</p>
</td>
</tr>
<tr>
<td><code>selector</code>
</br>
<span style="font-family: monospace">meta/v1.LabelSelector</span>
</td>
<td>
<p>Selector allows you to select target resources with their labels.</p>
</td>
</tr>
</tbody>
</table>

22
pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go
View file

@ -20,15 +20,16 @@ package v1
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
)
// TargetResourceSpecApplyConfiguration represents an declarative configuration of the TargetResourceSpec type for use
// with apply.
type TargetResourceSpecApplyConfiguration struct {
*ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"`
Context []ContextEntryApplyConfiguration `json:"context,omitempty"`
RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
*TargetSelectorApplyConfiguration `json:"TargetSelector,omitempty"`
Context []ContextEntryApplyConfiguration `json:"context,omitempty"`
RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
}
// TargetResourceSpecApplyConfiguration constructs an declarative configuration of the TargetResourceSpec type for use with
@ -88,6 +89,21 @@ func (b *TargetResourceSpecApplyConfiguration) ensureResourceSpecApplyConfigurat
}
}
// WithSelector sets the Selector field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Selector field is set to the value of the last call.
func (b *TargetResourceSpecApplyConfiguration) WithSelector(value metav1.LabelSelector) *TargetResourceSpecApplyConfiguration {
b.ensureTargetSelectorApplyConfigurationExists()
b.Selector = &value
return b
}
func (b *TargetResourceSpecApplyConfiguration) ensureTargetSelectorApplyConfigurationExists() {
if b.TargetSelectorApplyConfiguration == nil {
b.TargetSelectorApplyConfiguration = &TargetSelectorApplyConfiguration{}
}
}
// WithContext adds the given value to the Context field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Context field.

96
pkg/client/applyconfigurations/kyverno/v1/targetselector.go Normal file
View file

@ -0,0 +1,96 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
types "k8s.io/apimachinery/pkg/types"
)
// TargetSelectorApplyConfiguration represents an declarative configuration of the TargetSelector type for use
// with apply.
type TargetSelectorApplyConfiguration struct {
*ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"`
Selector *metav1.LabelSelector `json:"selector,omitempty"`
}
// TargetSelectorApplyConfiguration constructs an declarative configuration of the TargetSelector type for use with
// apply.
func TargetSelector() *TargetSelectorApplyConfiguration {
return &TargetSelectorApplyConfiguration{}
}
// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APIVersion field is set to the value of the last call.
func (b *TargetSelectorApplyConfiguration) WithAPIVersion(value string) *TargetSelectorApplyConfiguration {
b.ensureResourceSpecApplyConfigurationExists()
b.APIVersion = &value
return b
}
// WithKind sets the Kind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Kind field is set to the value of the last call.
func (b *TargetSelectorApplyConfiguration) WithKind(value string) *TargetSelectorApplyConfiguration {
b.ensureResourceSpecApplyConfigurationExists()
b.Kind = &value
return b
}
// WithNamespace sets the Namespace field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Namespace field is set to the value of the last call.
func (b *TargetSelectorApplyConfiguration) WithNamespace(value string) *TargetSelectorApplyConfiguration {
b.ensureResourceSpecApplyConfigurationExists()
b.Namespace = &value
return b
}
// WithName sets the Name field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Name field is set to the value of the last call.
func (b *TargetSelectorApplyConfiguration) WithName(value string) *TargetSelectorApplyConfiguration {
b.ensureResourceSpecApplyConfigurationExists()
b.Name = &value
return b
}
// WithUID sets the UID field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the UID field is set to the value of the last call.
func (b *TargetSelectorApplyConfiguration) WithUID(value types.UID) *TargetSelectorApplyConfiguration {
b.ensureResourceSpecApplyConfigurationExists()
b.UID = &value
return b
}
func (b *TargetSelectorApplyConfiguration) ensureResourceSpecApplyConfigurationExists() {
if b.ResourceSpecApplyConfiguration == nil {
b.ResourceSpecApplyConfiguration = &ResourceSpecApplyConfiguration{}
}
}
// WithSelector sets the Selector field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Selector field is set to the value of the last call.
func (b *TargetSelectorApplyConfiguration) WithSelector(value metav1.LabelSelector) *TargetSelectorApplyConfiguration {
b.Selector = &value
return b
}

2
pkg/client/applyconfigurations/utils.go
View file

@ -141,6 +141,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.StaticKeyAttestorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TargetResourceSpec"):
return &kyvernov1.TargetResourceSpecApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("TargetSelector"):
return &kyvernov1.TargetSelectorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("UserInfo"):
return &kyvernov1.UserInfoApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ValidateImageVerification"):

41
pkg/clients/dclient/fake.go
View file

@ -6,7 +6,9 @@ import (
"strings"
openapiv2 "github.com/google/gnostic-models/openapiv2"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/discovery"
@ -16,7 +18,32 @@ import (
// NewFakeClient ---testing utilities
func NewFakeClient(scheme *runtime.Scheme, gvrToListKind map[schema.GroupVersionResource]string, objects ...runtime.Object) (Interface, error) {
c := fake.NewSimpleDynamicClientWithCustomListKinds(scheme, gvrToListKind, objects...)
unstructuredScheme := runtime.NewScheme()
for gvk := range scheme.AllKnownTypes() {
if unstructuredScheme.Recognizes(gvk) {
continue
}
if strings.HasSuffix(gvk.Kind, "List") {
unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.UnstructuredList{})
continue
}
unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.Unstructured{})
}
objects, err := convertObjectsToUnstructured(objects)
if err != nil {
panic(err)
}
for _, obj := range objects {
gvk := obj.GetObjectKind().GroupVersionKind()
if !unstructuredScheme.Recognizes(gvk) {
unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.Unstructured{})
}
gvk.Kind += "List"
if !unstructuredScheme.Recognizes(gvk) {
unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.UnstructuredList{})
}
}
c := fake.NewSimpleDynamicClientWithCustomListKinds(unstructuredScheme, gvrToListKind, objects...)
// the typed and dynamic client are initialized with similar resources
kclient := kubefake.NewSimpleClientset(objects...)
return &client{
@ -101,3 +128,15 @@ func (c *fakeDiscoveryClient) OpenAPISchema() (*openapiv2.Document, error) {
func (c *fakeDiscoveryClient) CachedDiscoveryInterface() discovery.CachedDiscoveryInterface {
return nil
}
func convertObjectsToUnstructured(objs []runtime.Object) ([]runtime.Object, error) {
ul := make([]runtime.Object, 0, len(objs))
for _, obj := range objs {
u, err := kubeutils.ObjToUnstructured(obj)
if err != nil {
return nil, err
}
ul = append(ul, u)
}
return ul, nil
}

15
pkg/clients/dclient/helpers.go
View file

@ -16,7 +16,7 @@ type Resource struct {
Unstructured unstructured.Unstructured
}
func GetResources(ctx context.Context, c Interface, group, version, kind, subresource, namespace, name string) ([]Resource, error) {
func GetResources(ctx context.Context, c Interface, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]Resource, error) {
var resources []Resource
gvrss, err := c.Discovery().FindResources(group, version, kind, subresource)
if err != nil {
@ -45,8 +45,17 @@ func GetResources(ctx context.Context, c Interface, group, version, kind, subres
})
} else {
// we can use `LIST`
var labelSelector string
if lselector != nil {
selector, err := metav1.LabelSelectorAsSelector(lselector)
if err != nil {
return nil, err
}
labelSelector = selector.String()
}
if gvrs.SubResource == "" {
list, err := dyn.List(ctx, metav1.ListOptions{})
list, err := dyn.List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
if err != nil {
return nil, err
}
@ -63,7 +72,7 @@ func GetResources(ctx context.Context, c Interface, group, version, kind, subres
}
} else {
// we need to use `LIST` / `GET`
list, err := dyn.List(ctx, metav1.ListOptions{})
list, err := dyn.List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
if err != nil {
return nil, err
}

4
pkg/engine/adapters/dclient.go
View file

@ -25,8 +25,8 @@ func (a *dclientAdapter) RawAbsPath(ctx context.Context, path, method string, da
return a.client.RawAbsPath(ctx, path, method, dataReader)
}
func (a *dclientAdapter) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]engineapi.Resource, error) {
resources, err := dclient.GetResources(ctx, a.client, group, version, kind, subresource, namespace, name)
func (a *dclientAdapter) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]engineapi.Resource, error) {
resources, err := dclient.GetResources(ctx, a.client, group, version, kind, subresource, namespace, name, lselector)
if err != nil {
return nil, err
}

2
pkg/engine/api/client.go
View file

@ -31,7 +31,7 @@ type AuthClient interface {
type ResourceClient interface {
GetResource(ctx context.Context, apiVersion, kind, namespace, name string, subresources ...string) (*unstructured.Unstructured, error)
ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)
GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]Resource, error)
GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]Resource, error)
GetNamespace(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Namespace, error)
IsNamespaced(group, version, kind string) (bool, error)
}

30
pkg/engine/handlers/mutation/load_targets.go
View file

@ -40,7 +40,7 @@ func loadTargets(ctx context.Context, client engineapi.Client, targets []kyverno
errors = append(errors, err)
continue
}
objs, err := getTargets(ctx, client, spec, policyCtx)
objs, err := getTargets(ctx, client, spec.ResourceSpec, policyCtx, spec.Selector)
if err != nil {
errors = append(errors, err)
continue
@ -56,32 +56,35 @@ func loadTargets(ctx context.Context, client engineapi.Client, targets []kyverno
return targetObjects, multierr.Combine(errors...)
}
func resolveSpec(i int, target kyvernov1.TargetResourceSpec, ctx engineapi.PolicyContext, logger logr.Logger) (kyvernov1.ResourceSpec, error) {
func resolveSpec(i int, target kyvernov1.TargetResourceSpec, ctx engineapi.PolicyContext, logger logr.Logger) (kyvernov1.TargetSelector, error) {
kind, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Kind)
if err != nil {
return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s, value: %v, err: %v", i, target.Kind, kind, err)
return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s, value: %v, err: %v", i, target.Kind, kind, err)
}
apiversion, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.APIVersion)
if err != nil {
return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s, value: %v, err: %v", i, target.APIVersion, apiversion, err)
return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s, value: %v, err: %v", i, target.APIVersion, apiversion, err)
}
namespace, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Namespace)
if err != nil || namespace == nil {
return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s, value: %v, err: %v", i, target.Namespace, namespace, err)
return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s, value: %v, err: %v", i, target.Namespace, namespace, err)
}
name, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Name)
if err != nil || name == nil {
return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s, value: %v, err: %v", i, target.Name, name, err)
return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s, value: %v, err: %v", i, target.Name, name, err)
}
return kyvernov1.ResourceSpec{
APIVersion: apiversion.(string),
Kind: kind.(string),
Namespace: namespace.(string),
Name: name.(string),
return kyvernov1.TargetSelector{
ResourceSpec: kyvernov1.ResourceSpec{
APIVersion: apiversion.(string),
Kind: kind.(string),
Namespace: namespace.(string),
Name: name.(string),
},
Selector: target.Selector,
}, nil
}
func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.ResourceSpec, policyCtx engineapi.PolicyContext) ([]resourceInfo, error) {
func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.ResourceSpec, policyCtx engineapi.PolicyContext, lselector *metav1.LabelSelector) ([]resourceInfo, error) {
namespace := target.Namespace
name := target.Name
policy := policyCtx.Policy()
@ -90,10 +93,11 @@ func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.R
namespace = policy.GetNamespace()
}
group, version, kind, subresource := kubeutils.ParseKindSelector(target.APIVersion + "/" + target.Kind)
resources, err := client.GetResources(ctx, group, version, kind, subresource, namespace, name)
resources, err := client.GetResources(ctx, group, version, kind, subresource, namespace, name, lselector)
if err != nil {
return nil, err
}
targetObjects := make([]resourceInfo, 0, len(resources))
for _, resource := range resources {
targetObjects = append(targetObjects, resourceInfo{

164
pkg/engine/mutation_test.go
View file

@ -1366,6 +1366,161 @@ func Test_mutate_existing_resources(t *testing.T) {
patchedTargets [][]byte
targetList string
}{
{
name: "test-labelselector",
policy: []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "test-post-mutation"
},
"spec": {
"rules": [
{
"name": "mutate-deploy-on-configmap-update",
"match": {
"any": [
{
"resources": {
"kinds": [
"ConfigMap"
],
"names": [
"dictionary"
],
"namespaces": [
"staging"
]
}
}
]
},
"preconditions": {
"any": [
{
"key": "{{ request.object.data.foo }}",
"operator": "Equals",
"value": "bar"
}
]
},
"mutate": {
"targets": [
{
"apiVersion": "v1",
"kind": "Deployment",
"namespace": "staging",
"selector": {
"matchLabels": {
"app":"nginx"
}
}
}
],
"patchStrategicMerge": {
"metadata": {
"labels": {
"foo": "bar"
}
}
}
}
}
]
}
}`),
trigger: []byte(`{
"apiVersion": "v1",
"data": {
"foo": "bar"
},
"kind": "ConfigMap",
"metadata": {
"name": "dictionary",
"namespace": "staging"
}
}`),
targets: [][]byte{[]byte(`{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "example-A",
"namespace": "staging",
"labels": {
"app": "nginx"
}
},
"spec": {
"replicas": 1,
"selector": {
"matchLabels": {
"app": "nginx"
}
},
"template": {
"metadata": {
"labels": {
"app": "nginx"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx:1.14.2",
"ports": [
{
"containerPort": 80
}
]
}
]
}
}
}
}`)},
patchedTargets: [][]byte{[]byte(`{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "example-A",
"namespace": "staging",
"labels": {
"app": "nginx",
"foo": "bar"
}
},
"spec": {
"replicas": 1,
"selector": {
"matchLabels": {
"app": "nginx"
}
},
"template": {
"metadata": {
"labels": {
"app": "nginx"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx:1.14.2",
"ports": [
{
"containerPort": 80
}
]
}
]
}
}
}
}`)},
targetList: "DeploymentList",
},
{
name: "test-different-trigger-target",
policy: []byte(`{
@ -1849,18 +2004,11 @@ func Test_mutate_existing_resources(t *testing.T) {
}
policyContext := createContext(t, &policy, trigger)
gvrToListKind := map[schema.GroupVersionResource]string{
{Group: patchedTargets[0].GroupVersionKind().Group, Version: patchedTargets[0].GroupVersionKind().Version, Resource: patchedTargets[0].GroupVersionKind().Kind}: test.targetList,
}
scheme := runtime.NewScheme()
dclient, err := client.NewFakeClient(scheme, gvrToListKind, targets...)
dclient, err := client.NewFakeClient(scheme, map[schema.GroupVersionResource]string{}, targets...)
require.NoError(t, err)
dclient.SetDiscovery(client.NewFakeDiscoveryClient(nil))
_, err = dclient.GetResource(context.TODO(), patchedTargets[0].GetAPIVersion(), patchedTargets[0].GetKind(), patchedTargets[0].GetNamespace(), patchedTargets[0].GetName())
require.NoError(t, err)
er := testMutate(context.TODO(), dclient, registryclient.NewOrDie(), policyContext, nil)
var actualPatchedTargets []unstructured.Unstructured

21
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md Normal file
View file

@ -0,0 +1,21 @@
## Description
This test ensures that target resources for mutations can be selected using label selectors
## Expected Behavior
The target resource is fetched and mutated when specifying a label selector that will match it
## Steps
### Test Steps
1. Create three `ConfigMap` resources, two with the required label existing and one without it.
2. Create a `ClusterPolicy` that will add a label to `ConfigMaps` on any secret events, and select targets with the label.
3. Create a `Secert` resource.
4. Assert that the `ConfigMaps` got the required labels added to them.
5. Verify that the `ConfigMap` without the required label on it didn't get changed.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/10407

23
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: test-fetching-resources-with-labelselectors
spec:
steps:
- name: step-01
try:
- apply:
file: should-match.yaml
- apply:
file: should-not-match.yaml
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- apply:
file: secret.yaml
- assert:
file: cm-mutated.yaml
- assert:
file: should-not-match.yaml

15
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1
labels:
should-match: 'yes'
foo: 'bar'
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1
labels:
should-match: 'yes'
foo: 'bar'

9
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-existing-configmap
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

24
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-existing-configmap
spec:
rules:
- name: mutate-configmap-on-secret-event
match:
any:
- resources:
kinds:
- Secret
mutate:
targets:
- apiVersion: v1
kind: ConfigMap
selector:
matchLabels:
should-match: 'yes'
patchStrategicMerge:
metadata:
labels:
foo: bar

4
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Secret
metadata:
name: some-secret

13
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cm1
labels:
should-match: 'yes'
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cm2
labels:
should-match: 'yes'

6
test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cm3
labels:
should-match: 'no'