From 9a8e35d78704c9d011a2fafd1d68d329fcfa8de8 Mon Sep 17 00:00:00 2001 From: Ammar Yasser Date: Wed, 16 Oct 2024 14:17:08 +0300 Subject: [PATCH] Selector with mutate target (#11208) * feature: Add LabelSelector as a field of resource spec to allow fetching by labels Signed-off-by: aerosouund * chore: Generate CRDs Signed-off-by: aerosouund * feat: Add the capability to fetch with label selector - Add the label selector as a parameter to GetResources of the engine api client and the dclient. - Use the label selector with list options in the dclient. - convert a metav1.LabelSelector to a labels.Selector before fetching to be able to convert it to a string to be used with ListOptions. Signed-off-by: aerosouund * feat: Pass label selector to the GetResources method Signed-off-by: aerosouund * feat: Return the resource selector when resolving spec Signed-off-by: aerosouund * fix: Instantiate the fake client schema using the passed gvrToListKind map and by inferring schema from passed resources All tests that use List will fail because the fake client doesn't infer the schema from the passed resources. gvrToListKind can't be fully deprecated as some parts of kyverno use the fake client without passing resources to it (resource generation). And so both approaches have to be supported. References: - https://github.com/kubernetes/client-go/issues/983 - https://github.com/kubernetes/client-go/commit/46c1ad3baa101ce5886a69f7c6a47d7777db3e56 Signed-off-by: aerosouund * test: Add labelSelector unit test to mutate existing test. - Remove the unwanted call to GetResource. - Pass an empty map of GVR to string to the fake client constructor. Signed-off-by: aerosouund * test: Add chainsaw test Signed-off-by: aerosouund * chore: Run codegen Signed-off-by: aerosouund * chore: Generate helm CRDs Signed-off-by: aerosouund * refactor: Put the LabelSelector in a separate struct Many types use the ResourceSpec struct and not all of them support label selectors. This removes the field into a separate schema dedicated to target selection called TargetSelector. It has the ResourceSpec and the selector. Signed-off-by: aerosouund * chore: Run codegen after modifying selector comment Signed-off-by: aerosouund * chore: Run codegen Signed-off-by: aerosouund --------- Signed-off-by: aerosouund Co-authored-by: shuting --- api/kyverno/v1/resource_spec_types.go | 15 +- api/kyverno/v1/zz_generated.deepcopy.go | 24 +- .../kyverno.io_clusterpolicies.yaml | 192 +++++++++ .../kyverno.io/kyverno.io_policies.yaml | 192 +++++++++ .../data/crds/kyverno.io_clusterpolicies.yaml | 192 +++++++++ .../data/crds/kyverno.io_policies.yaml | 192 +++++++++ .../kyverno/kyverno.io_clusterpolicies.yaml | 192 +++++++++ config/crds/kyverno/kyverno.io_policies.yaml | 192 +++++++++ config/install-latest-testing.yaml | 384 ++++++++++++++++++ docs/user/crd/index.html | 56 ++- docs/user/crd/kyverno.v1.html | 103 ++++- .../kyverno/v1/targetresourcespec.go | 22 +- .../kyverno/v1/targetselector.go | 96 +++++ pkg/client/applyconfigurations/utils.go | 2 + pkg/clients/dclient/fake.go | 41 +- pkg/clients/dclient/helpers.go | 15 +- pkg/engine/adapters/dclient.go | 4 +- pkg/engine/api/client.go | 2 +- pkg/engine/handlers/mutation/load_targets.go | 30 +- pkg/engine/mutation_test.go | 164 +++++++- .../standard/existing/labelselector/README.md | 21 + .../existing/labelselector/chainsaw-test.yaml | 23 ++ .../existing/labelselector/cm-mutated.yaml | 15 + .../existing/labelselector/policy-assert.yaml | 9 + .../existing/labelselector/policy.yaml | 24 ++ .../existing/labelselector/secret.yaml | 4 + .../existing/labelselector/should-match.yaml | 13 + .../labelselector/should-not-match.yaml | 6 + 28 files changed, 2181 insertions(+), 44 deletions(-) create mode 100644 pkg/client/applyconfigurations/kyverno/v1/targetselector.go create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml create mode 100644 test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml diff --git a/api/kyverno/v1/resource_spec_types.go b/api/kyverno/v1/resource_spec_types.go index ab9f306307..f431f4baf5 100644 --- a/api/kyverno/v1/resource_spec_types.go +++ b/api/kyverno/v1/resource_spec_types.go @@ -3,6 +3,7 @@ package v1 import ( "strings" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/types" ) @@ -39,8 +40,8 @@ func (s ResourceSpec) String() string { // TargetResourceSpec defines targets for mutating existing resources. type TargetResourceSpec struct { - // ResourceSpec contains the target resources to load when mutating existing resources. - ResourceSpec `json:",omitempty"` + // TargetSelector contains the ResourceSpec and a label selector to support selecting with labels. + TargetSelector `json:",omitempty"` // Context defines variables and data sources that can be used during rule execution. // +optional @@ -57,9 +58,19 @@ type TargetResourceSpec struct { RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty"` } +type TargetSelector struct { + // ResourceSpec contains the target resources to load when mutating existing resources. + ResourceSpec `json:",omitempty"` + // Selector allows you to select target resources with their labels. + // +optional + Selector *metav1.LabelSelector `json:"selector,omitempty"` +} + func (r *TargetResourceSpec) GetAnyAllConditions() any { if r.RawAnyAllConditions == nil { return nil } return r.RawAnyAllConditions.Conditions } + +func (r *TargetResourceSpec) GetSelector() *metav1.LabelSelector { return r.Selector } diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index d16d6bf918..948c2590d6 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1627,7 +1627,7 @@ func (in *StaticKeyAttestor) DeepCopy() *StaticKeyAttestor { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TargetResourceSpec) DeepCopyInto(out *TargetResourceSpec) { *out = *in - out.ResourceSpec = in.ResourceSpec + in.TargetSelector.DeepCopyInto(&out.TargetSelector) if in.Context != nil { in, out := &in.Context, &out.Context *out = make([]ContextEntry, len(*in)) @@ -1652,6 +1652,28 @@ func (in *TargetResourceSpec) DeepCopy() *TargetResourceSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TargetSelector) DeepCopyInto(out *TargetSelector) { + *out = *in + out.ResourceSpec = in.ResourceSpec + if in.Selector != nil { + in, out := &in.Selector, &out.Selector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. +func (in *TargetSelector) DeepCopy() *TargetSelector { + if in == nil { + return nil + } + out := new(TargetSelector) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UserInfo) DeepCopyInto(out *UserInfo) { *out = *in diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 5154339fd2..62277aae2d 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -2926,6 +2926,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -7987,6 +8035,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -12684,6 +12780,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -17879,6 +18023,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index d888d7d46e..0cec4c97b5 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -2927,6 +2927,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -7989,6 +8037,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -12687,6 +12783,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -17882,6 +18026,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 13aa222910..c4c2fda998 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -2920,6 +2920,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -7981,6 +8029,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -12678,6 +12774,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -17873,6 +18017,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index f9d1f7b461..008f0bc6da 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -2921,6 +2921,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -7983,6 +8031,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -12681,6 +12777,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -17876,6 +18020,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 13aa222910..c4c2fda998 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -2920,6 +2920,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -7981,6 +8029,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -12678,6 +12774,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -17873,6 +18017,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index f9d1f7b461..008f0bc6da 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -2921,6 +2921,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -7983,6 +8031,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -12681,6 +12777,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -17876,6 +18020,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index e8e5a263d3..09b3e9344d 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -8313,6 +8313,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -13374,6 +13422,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -18071,6 +18167,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -23266,6 +23410,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -28674,6 +28866,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -33736,6 +33976,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -38434,6 +38722,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string @@ -43629,6 +43965,54 @@ spec: will be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true + selector: + description: Selector allows you to select target + resources with their labels. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic uid: description: UID specifies the resource uid. type: string diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index fb88135c80..54a7043b96 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -3819,7 +3819,7 @@ ResourceDescription

(Appears on: GeneratePattern, -TargetResourceSpec, +TargetSelector, UpdateRequestSpec, UpdateRequestStatus, RuleContext, @@ -4608,15 +4608,15 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used -ResourceSpec
+TargetSelector
- -ResourceSpec + +TargetSelector -

ResourceSpec contains the target resources to load when mutating existing resources.

+

TargetSelector contains the ResourceSpec and a label selector to support selecting with labels.

@@ -4654,6 +4654,52 @@ See: https://k
+

TargetSelector +

+

+(Appears on: +TargetResourceSpec) +

+

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+ResourceSpec
+ + +ResourceSpec + + +		 +

ResourceSpec contains the target resources to load when mutating existing resources.

+
+selector
+ + +Kubernetes meta/v1.LabelSelector + + +		 +(Optional) +

Selector allows you to select target resources with their labels.

+
+

UserInfo

diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index b3400e3274..c16689bd80 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -7599,7 +7599,7 @@ does not match an empty label set.

(Appears in: GeneratePattern, - TargetResourceSpec) + TargetSelector)

@@ -9298,7 +9298,7 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used - ResourceSpec + TargetSelector * @@ -9307,8 +9307,8 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used - - ResourceSpec + + TargetSelector @@ -9316,7 +9316,7 @@ Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used -

ResourceSpec contains the target resources to load when mutating existing resources.

+

TargetSelector contains the ResourceSpec and a label selector to support selecting with labels.

@@ -9390,6 +9390,99 @@ See: https://kyverno.io/docs/writing-policies/preconditions/

+ + + + +

TargetSelector +

+ + +

+ (Appears in: + TargetResourceSpec) +

+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
ResourceSpec + + * + +
+ + + + + + ResourceSpec + + + + 		+ + +

ResourceSpec contains the target resources to load when mutating existing resources.

+ + + + + +
selector + +
+ + + + + meta/v1.LabelSelector + + + 		+ + +

Selector allows you to select target resources with their labels.

+ + + + + +
diff --git a/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go b/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go index 9c26ee0360..841c156b24 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go +++ b/pkg/client/applyconfigurations/kyverno/v1/targetresourcespec.go @@ -20,15 +20,16 @@ package v1 import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" types "k8s.io/apimachinery/pkg/types" ) // TargetResourceSpecApplyConfiguration represents an declarative configuration of the TargetResourceSpec type for use // with apply. type TargetResourceSpecApplyConfiguration struct { - *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"` - Context []ContextEntryApplyConfiguration `json:"context,omitempty"` - RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"` + *TargetSelectorApplyConfiguration `json:"TargetSelector,omitempty"` + Context []ContextEntryApplyConfiguration `json:"context,omitempty"` + RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"` } // TargetResourceSpecApplyConfiguration constructs an declarative configuration of the TargetResourceSpec type for use with @@ -88,6 +89,21 @@ func (b *TargetResourceSpecApplyConfiguration) ensureResourceSpecApplyConfigurat } } +// WithSelector sets the Selector field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Selector field is set to the value of the last call. +func (b *TargetResourceSpecApplyConfiguration) WithSelector(value metav1.LabelSelector) *TargetResourceSpecApplyConfiguration { + b.ensureTargetSelectorApplyConfigurationExists() + b.Selector = &value + return b +} + +func (b *TargetResourceSpecApplyConfiguration) ensureTargetSelectorApplyConfigurationExists() { + if b.TargetSelectorApplyConfiguration == nil { + b.TargetSelectorApplyConfiguration = &TargetSelectorApplyConfiguration{} + } +} + // WithContext adds the given value to the Context field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Context field. diff --git a/pkg/client/applyconfigurations/kyverno/v1/targetselector.go b/pkg/client/applyconfigurations/kyverno/v1/targetselector.go new file mode 100644 index 0000000000..222198a82a --- /dev/null +++ b/pkg/client/applyconfigurations/kyverno/v1/targetselector.go @@ -0,0 +1,96 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + types "k8s.io/apimachinery/pkg/types" +) + +// TargetSelectorApplyConfiguration represents an declarative configuration of the TargetSelector type for use +// with apply. +type TargetSelectorApplyConfiguration struct { + *ResourceSpecApplyConfiguration `json:"ResourceSpec,omitempty"` + Selector *metav1.LabelSelector `json:"selector,omitempty"` +} + +// TargetSelectorApplyConfiguration constructs an declarative configuration of the TargetSelector type for use with +// apply. +func TargetSelector() *TargetSelectorApplyConfiguration { + return &TargetSelectorApplyConfiguration{} +} + +// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the APIVersion field is set to the value of the last call. +func (b *TargetSelectorApplyConfiguration) WithAPIVersion(value string) *TargetSelectorApplyConfiguration { + b.ensureResourceSpecApplyConfigurationExists() + b.APIVersion = &value + return b +} + +// WithKind sets the Kind field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Kind field is set to the value of the last call. +func (b *TargetSelectorApplyConfiguration) WithKind(value string) *TargetSelectorApplyConfiguration { + b.ensureResourceSpecApplyConfigurationExists() + b.Kind = &value + return b +} + +// WithNamespace sets the Namespace field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Namespace field is set to the value of the last call. +func (b *TargetSelectorApplyConfiguration) WithNamespace(value string) *TargetSelectorApplyConfiguration { + b.ensureResourceSpecApplyConfigurationExists() + b.Namespace = &value + return b +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *TargetSelectorApplyConfiguration) WithName(value string) *TargetSelectorApplyConfiguration { + b.ensureResourceSpecApplyConfigurationExists() + b.Name = &value + return b +} + +// WithUID sets the UID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UID field is set to the value of the last call. +func (b *TargetSelectorApplyConfiguration) WithUID(value types.UID) *TargetSelectorApplyConfiguration { + b.ensureResourceSpecApplyConfigurationExists() + b.UID = &value + return b +} + +func (b *TargetSelectorApplyConfiguration) ensureResourceSpecApplyConfigurationExists() { + if b.ResourceSpecApplyConfiguration == nil { + b.ResourceSpecApplyConfiguration = &ResourceSpecApplyConfiguration{} + } +} + +// WithSelector sets the Selector field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Selector field is set to the value of the last call. +func (b *TargetSelectorApplyConfiguration) WithSelector(value metav1.LabelSelector) *TargetSelectorApplyConfiguration { + b.Selector = &value + return b +} diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go index d051d1d11a..ef83bbc5bd 100644 --- a/pkg/client/applyconfigurations/utils.go +++ b/pkg/client/applyconfigurations/utils.go @@ -141,6 +141,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &kyvernov1.StaticKeyAttestorApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("TargetResourceSpec"): return &kyvernov1.TargetResourceSpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("TargetSelector"): + return &kyvernov1.TargetSelectorApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("UserInfo"): return &kyvernov1.UserInfoApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ValidateImageVerification"): diff --git a/pkg/clients/dclient/fake.go b/pkg/clients/dclient/fake.go index 89d71c7dfb..9baf85ca6d 100644 --- a/pkg/clients/dclient/fake.go +++ b/pkg/clients/dclient/fake.go @@ -6,7 +6,9 @@ import ( "strings" openapiv2 "github.com/google/gnostic-models/openapiv2" + kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/discovery" @@ -16,7 +18,32 @@ import ( // NewFakeClient ---testing utilities func NewFakeClient(scheme *runtime.Scheme, gvrToListKind map[schema.GroupVersionResource]string, objects ...runtime.Object) (Interface, error) { - c := fake.NewSimpleDynamicClientWithCustomListKinds(scheme, gvrToListKind, objects...) + unstructuredScheme := runtime.NewScheme() + for gvk := range scheme.AllKnownTypes() { + if unstructuredScheme.Recognizes(gvk) { + continue + } + if strings.HasSuffix(gvk.Kind, "List") { + unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.UnstructuredList{}) + continue + } + unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.Unstructured{}) + } + objects, err := convertObjectsToUnstructured(objects) + if err != nil { + panic(err) + } + for _, obj := range objects { + gvk := obj.GetObjectKind().GroupVersionKind() + if !unstructuredScheme.Recognizes(gvk) { + unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.Unstructured{}) + } + gvk.Kind += "List" + if !unstructuredScheme.Recognizes(gvk) { + unstructuredScheme.AddKnownTypeWithName(gvk, &unstructured.UnstructuredList{}) + } + } + c := fake.NewSimpleDynamicClientWithCustomListKinds(unstructuredScheme, gvrToListKind, objects...) // the typed and dynamic client are initialized with similar resources kclient := kubefake.NewSimpleClientset(objects...) return &client{ @@ -101,3 +128,15 @@ func (c *fakeDiscoveryClient) OpenAPISchema() (*openapiv2.Document, error) { func (c *fakeDiscoveryClient) CachedDiscoveryInterface() discovery.CachedDiscoveryInterface { return nil } + +func convertObjectsToUnstructured(objs []runtime.Object) ([]runtime.Object, error) { + ul := make([]runtime.Object, 0, len(objs)) + for _, obj := range objs { + u, err := kubeutils.ObjToUnstructured(obj) + if err != nil { + return nil, err + } + ul = append(ul, u) + } + return ul, nil +} diff --git a/pkg/clients/dclient/helpers.go b/pkg/clients/dclient/helpers.go index c1c1c58f24..8fa249c6c5 100644 --- a/pkg/clients/dclient/helpers.go +++ b/pkg/clients/dclient/helpers.go @@ -16,7 +16,7 @@ type Resource struct { Unstructured unstructured.Unstructured } -func GetResources(ctx context.Context, c Interface, group, version, kind, subresource, namespace, name string) ([]Resource, error) { +func GetResources(ctx context.Context, c Interface, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]Resource, error) { var resources []Resource gvrss, err := c.Discovery().FindResources(group, version, kind, subresource) if err != nil { @@ -45,8 +45,17 @@ func GetResources(ctx context.Context, c Interface, group, version, kind, subres }) } else { // we can use `LIST` + var labelSelector string + if lselector != nil { + selector, err := metav1.LabelSelectorAsSelector(lselector) + if err != nil { + return nil, err + } + labelSelector = selector.String() + } + if gvrs.SubResource == "" { - list, err := dyn.List(ctx, metav1.ListOptions{}) + list, err := dyn.List(ctx, metav1.ListOptions{LabelSelector: labelSelector}) if err != nil { return nil, err } @@ -63,7 +72,7 @@ func GetResources(ctx context.Context, c Interface, group, version, kind, subres } } else { // we need to use `LIST` / `GET` - list, err := dyn.List(ctx, metav1.ListOptions{}) + list, err := dyn.List(ctx, metav1.ListOptions{LabelSelector: labelSelector}) if err != nil { return nil, err } diff --git a/pkg/engine/adapters/dclient.go b/pkg/engine/adapters/dclient.go index ab0e9b9646..560c204590 100644 --- a/pkg/engine/adapters/dclient.go +++ b/pkg/engine/adapters/dclient.go @@ -25,8 +25,8 @@ func (a *dclientAdapter) RawAbsPath(ctx context.Context, path, method string, da return a.client.RawAbsPath(ctx, path, method, dataReader) } -func (a *dclientAdapter) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]engineapi.Resource, error) { - resources, err := dclient.GetResources(ctx, a.client, group, version, kind, subresource, namespace, name) +func (a *dclientAdapter) GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]engineapi.Resource, error) { + resources, err := dclient.GetResources(ctx, a.client, group, version, kind, subresource, namespace, name, lselector) if err != nil { return nil, err } diff --git a/pkg/engine/api/client.go b/pkg/engine/api/client.go index 3b9ec25926..6f5dd8f440 100644 --- a/pkg/engine/api/client.go +++ b/pkg/engine/api/client.go @@ -31,7 +31,7 @@ type AuthClient interface { type ResourceClient interface { GetResource(ctx context.Context, apiVersion, kind, namespace, name string, subresources ...string) (*unstructured.Unstructured, error) ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error) - GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string) ([]Resource, error) + GetResources(ctx context.Context, group, version, kind, subresource, namespace, name string, lselector *metav1.LabelSelector) ([]Resource, error) GetNamespace(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Namespace, error) IsNamespaced(group, version, kind string) (bool, error) } diff --git a/pkg/engine/handlers/mutation/load_targets.go b/pkg/engine/handlers/mutation/load_targets.go index 28ceb71daa..c85f0551fe 100644 --- a/pkg/engine/handlers/mutation/load_targets.go +++ b/pkg/engine/handlers/mutation/load_targets.go @@ -40,7 +40,7 @@ func loadTargets(ctx context.Context, client engineapi.Client, targets []kyverno errors = append(errors, err) continue } - objs, err := getTargets(ctx, client, spec, policyCtx) + objs, err := getTargets(ctx, client, spec.ResourceSpec, policyCtx, spec.Selector) if err != nil { errors = append(errors, err) continue @@ -56,32 +56,35 @@ func loadTargets(ctx context.Context, client engineapi.Client, targets []kyverno return targetObjects, multierr.Combine(errors...) } -func resolveSpec(i int, target kyvernov1.TargetResourceSpec, ctx engineapi.PolicyContext, logger logr.Logger) (kyvernov1.ResourceSpec, error) { +func resolveSpec(i int, target kyvernov1.TargetResourceSpec, ctx engineapi.PolicyContext, logger logr.Logger) (kyvernov1.TargetSelector, error) { kind, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Kind) if err != nil { - return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s, value: %v, err: %v", i, target.Kind, kind, err) + return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s, value: %v, err: %v", i, target.Kind, kind, err) } apiversion, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.APIVersion) if err != nil { - return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s, value: %v, err: %v", i, target.APIVersion, apiversion, err) + return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s, value: %v, err: %v", i, target.APIVersion, apiversion, err) } namespace, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Namespace) if err != nil || namespace == nil { - return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s, value: %v, err: %v", i, target.Namespace, namespace, err) + return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s, value: %v, err: %v", i, target.Namespace, namespace, err) } name, err := variables.SubstituteAll(logger, ctx.JSONContext(), target.Name) if err != nil || name == nil { - return kyvernov1.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s, value: %v, err: %v", i, target.Name, name, err) + return kyvernov1.TargetSelector{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s, value: %v, err: %v", i, target.Name, name, err) } - return kyvernov1.ResourceSpec{ - APIVersion: apiversion.(string), - Kind: kind.(string), - Namespace: namespace.(string), - Name: name.(string), + return kyvernov1.TargetSelector{ + ResourceSpec: kyvernov1.ResourceSpec{ + APIVersion: apiversion.(string), + Kind: kind.(string), + Namespace: namespace.(string), + Name: name.(string), + }, + Selector: target.Selector, }, nil } -func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.ResourceSpec, policyCtx engineapi.PolicyContext) ([]resourceInfo, error) { +func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.ResourceSpec, policyCtx engineapi.PolicyContext, lselector *metav1.LabelSelector) ([]resourceInfo, error) { namespace := target.Namespace name := target.Name policy := policyCtx.Policy() @@ -90,10 +93,11 @@ func getTargets(ctx context.Context, client engineapi.Client, target kyvernov1.R namespace = policy.GetNamespace() } group, version, kind, subresource := kubeutils.ParseKindSelector(target.APIVersion + "/" + target.Kind) - resources, err := client.GetResources(ctx, group, version, kind, subresource, namespace, name) + resources, err := client.GetResources(ctx, group, version, kind, subresource, namespace, name, lselector) if err != nil { return nil, err } + targetObjects := make([]resourceInfo, 0, len(resources)) for _, resource := range resources { targetObjects = append(targetObjects, resourceInfo{ diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index 6b4941ea33..7ff1b5ace1 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -1366,6 +1366,161 @@ func Test_mutate_existing_resources(t *testing.T) { patchedTargets [][]byte targetList string }{ + { + name: "test-labelselector", + policy: []byte(`{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "test-post-mutation" + }, + "spec": { + "rules": [ + { + "name": "mutate-deploy-on-configmap-update", + "match": { + "any": [ + { + "resources": { + "kinds": [ + "ConfigMap" + ], + "names": [ + "dictionary" + ], + "namespaces": [ + "staging" + ] + } + } + ] + }, + "preconditions": { + "any": [ + { + "key": "{{ request.object.data.foo }}", + "operator": "Equals", + "value": "bar" + } + ] + }, + "mutate": { + "targets": [ + { + "apiVersion": "v1", + "kind": "Deployment", + "namespace": "staging", + "selector": { + "matchLabels": { + "app":"nginx" + } + } + } + ], + "patchStrategicMerge": { + "metadata": { + "labels": { + "foo": "bar" + } + } + } + } + } + ] + } + }`), + trigger: []byte(`{ + "apiVersion": "v1", + "data": { + "foo": "bar" + }, + "kind": "ConfigMap", + "metadata": { + "name": "dictionary", + "namespace": "staging" + } + }`), + targets: [][]byte{[]byte(`{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "example-A", + "namespace": "staging", + "labels": { + "app": "nginx" + } + }, + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app": "nginx" + } + }, + "template": { + "metadata": { + "labels": { + "app": "nginx" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:1.14.2", + "ports": [ + { + "containerPort": 80 + } + ] + } + ] + } + } + } + }`)}, + patchedTargets: [][]byte{[]byte(`{ + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "name": "example-A", + "namespace": "staging", + "labels": { + "app": "nginx", + "foo": "bar" + } + }, + "spec": { + "replicas": 1, + "selector": { + "matchLabels": { + "app": "nginx" + } + }, + "template": { + "metadata": { + "labels": { + "app": "nginx" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:1.14.2", + "ports": [ + { + "containerPort": 80 + } + ] + } + ] + } + } + } + }`)}, + targetList: "DeploymentList", + }, { name: "test-different-trigger-target", policy: []byte(`{ @@ -1849,18 +2004,11 @@ func Test_mutate_existing_resources(t *testing.T) { } policyContext := createContext(t, &policy, trigger) - gvrToListKind := map[schema.GroupVersionResource]string{ - {Group: patchedTargets[0].GroupVersionKind().Group, Version: patchedTargets[0].GroupVersionKind().Version, Resource: patchedTargets[0].GroupVersionKind().Kind}: test.targetList, - } - scheme := runtime.NewScheme() - dclient, err := client.NewFakeClient(scheme, gvrToListKind, targets...) + dclient, err := client.NewFakeClient(scheme, map[schema.GroupVersionResource]string{}, targets...) require.NoError(t, err) dclient.SetDiscovery(client.NewFakeDiscoveryClient(nil)) - _, err = dclient.GetResource(context.TODO(), patchedTargets[0].GetAPIVersion(), patchedTargets[0].GetKind(), patchedTargets[0].GetNamespace(), patchedTargets[0].GetName()) - require.NoError(t, err) - er := testMutate(context.TODO(), dclient, registryclient.NewOrDie(), policyContext, nil) var actualPatchedTargets []unstructured.Unstructured diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md new file mode 100644 index 0000000000..5957b00969 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/README.md @@ -0,0 +1,21 @@ +## Description + +This test ensures that target resources for mutations can be selected using label selectors + +## Expected Behavior + +The target resource is fetched and mutated when specifying a label selector that will match it + +## Steps + +### Test Steps + +1. Create three `ConfigMap` resources, two with the required label existing and one without it. +2. Create a `ClusterPolicy` that will add a label to `ConfigMaps` on any secret events, and select targets with the label. +3. Create a `Secert` resource. +4. Assert that the `ConfigMaps` got the required labels added to them. +5. Verify that the `ConfigMap` without the required label on it didn't get changed. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/10407 \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml new file mode 100644 index 0000000000..8226b72d8c --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: test-fetching-resources-with-labelselectors +spec: + steps: + - name: step-01 + try: + - apply: + file: should-match.yaml + - apply: + file: should-not-match.yaml + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - apply: + file: secret.yaml + - assert: + file: cm-mutated.yaml + - assert: + file: should-not-match.yaml + diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml new file mode 100644 index 0000000000..809ceaab79 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/cm-mutated.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm1 + labels: + should-match: 'yes' + foo: 'bar' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm1 + labels: + should-match: 'yes' + foo: 'bar' \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml new file mode 100644 index 0000000000..5fe6abcafd --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-configmap +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml new file mode 100644 index 0000000000..45bd908677 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/policy.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-existing-configmap +spec: + rules: + - name: mutate-configmap-on-secret-event + match: + any: + - resources: + kinds: + - Secret + mutate: + targets: + - apiVersion: v1 + kind: ConfigMap + selector: + matchLabels: + should-match: 'yes' + patchStrategicMerge: + metadata: + labels: + foo: bar + \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml new file mode 100644 index 0000000000..433c026bd1 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/secret.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Secret +metadata: + name: some-secret \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml new file mode 100644 index 0000000000..603f5e4b54 --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-match.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm1 + labels: + should-match: 'yes' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm2 + labels: + should-match: 'yes' \ No newline at end of file diff --git a/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml new file mode 100644 index 0000000000..d2551eb1dc --- /dev/null +++ b/test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/labelselector/should-not-match.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cm3 + labels: + should-match: 'no' \ No newline at end of file