mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity

feat: stop reusing admissionregistrationv1.ValidatingAdmissionPolicySpec (#12246)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2025-02-25 15:48:47 +01:00 committed by GitHub
parent ad903523e2
commit 9d56f5f2b5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 409 additions and 197 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
api/policies.kyverno.io/v1alpha1/validating_spec_types.go
View file

@ -6,7 +6,79 @@ import (
// ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.
type ValidatingPolicySpec struct {
admissionregistrationv1.ValidatingAdmissionPolicySpec `json:",inline"`
// MatchConstraints specifies what resources this policy is designed to validate.
// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
// However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
// ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
// Required.
MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints,omitempty"`
// Validations contain CEL expressions which is used to apply the validation.
// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
// required.
// +listType=atomic
// +optional
Validations []admissionregistrationv1.Validation `json:"validations,omitempty"`
// failurePolicy defines how to handle failures for the admission policy. Failures can
// occur from CEL expression parse errors, type check errors, runtime errors and invalid
// or mis-configured policy definitions or bindings.
//
// A policy is invalid if spec.paramKind refers to a non-existent Kind.
// A binding is invalid if spec.paramRef.name refers to a non-existent resource.
//
// failurePolicy does not define how validations that evaluate to false are handled.
//
// When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
// define how failures are enforced.
//
// Allowed values are Ignore or Fail. Defaults to Fail.
// +optional
FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`
// auditAnnotations contains CEL expressions which are used to produce audit
// annotations for the audit event of the API request.
// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
// required.
// +listType=atomic
// +optional
AuditAnnotations []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`
// MatchConditions is a list of conditions that must be met for a request to be validated.
// Match conditions filter requests that have already been matched by the rules,
// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
// There are a maximum of 64 match conditions allowed.
//
// If a parameter object is provided, it can be accessed via the `params` handle in the same
// manner as validation expressions.
//
// The exact matching logic is (in order):
// 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
// 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
// 3. If any matchCondition evaluates to an error (but none are FALSE):
// - If failurePolicy=Fail, reject the request
// - If failurePolicy=Ignore, the policy is skipped
//
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
// Variables contain definitions of variables that can be used in composition of other expressions.
// Each variable is defined as a named CEL expression.
// The variables defined here will be available under `variables` in other expressions of the policy
// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
//
// The expression of a variable can refer to other variables defined earlier in the list but not those after.
// Thus, Variables must be sorted by the order of first appearance and acyclic.
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
// +optional
Variables []admissionregistrationv1.Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name"`
// ValidationAction specifies the action to be taken when the matched resource violates the policy.
// Required.

33
api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
View file

@ -889,7 +889,38 @@ func (in *ValidatingPolicyList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
*out = *in
in.ValidatingAdmissionPolicySpec.DeepCopyInto(&out.ValidatingAdmissionPolicySpec)
if in.MatchConstraints != nil {
in, out := &in.MatchConstraints, &out.MatchConstraints
*out = new(v1.MatchResources)
(*in).DeepCopyInto(*out)
}
if in.Validations != nil {
in, out := &in.Validations, &out.Validations
*out = make([]v1.Validation, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.FailurePolicy != nil {
in, out := &in.FailurePolicy, &out.FailurePolicy
*out = new(v1.FailurePolicyType)
**out = **in
}
if in.AuditAnnotations != nil {
in, out := &in.AuditAnnotations, &out.AuditAnnotations
*out = make([]v1.AuditAnnotation, len(*in))
copy(*out, *in)
}
if in.MatchConditions != nil {
in, out := &in.MatchConditions, &out.MatchConditions
*out = make([]v1.MatchCondition, len(*in))
copy(*out, *in)
}
if in.Variables != nil {
in, out := &in.Variables, &out.Variables
*out = make([]v1.Variable, len(*in))
copy(*out, *in)
}
if in.ValidationAction != nil {
in, out := &in.ValidationAction, &out.ValidationAction
*out = make([]v1.ValidationAction, len(*in))

20
charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -530,26 +530,6 @@ spec:
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
paramKind:
description: |-
ParamKind specifies the kind of resources used to parameterize this policy.
If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
properties:
apiVersion:
description: |-
APIVersion is the API group version the resources belong to.
In format of "group/version".
Required.
type: string
kind:
description: |-
Kind is the API kind the resources belong to.
Required.
type: string
type: object
x-kubernetes-map-type: atomic
validationActions:
description: |-
ValidationAction specifies the action to be taken when the matched resource violates the policy.

20
cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
View file

@ -524,26 +524,6 @@ spec:
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
paramKind:
description: |-
ParamKind specifies the kind of resources used to parameterize this policy.
If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
properties:
apiVersion:
description: |-
APIVersion is the API group version the resources belong to.
In format of "group/version".
Required.
type: string
kind:
description: |-
Kind is the API kind the resources belong to.
Required.
type: string
type: object
x-kubernetes-map-type: atomic
validationActions:
description: |-
ValidationAction specifies the action to be taken when the matched resource violates the policy.

2
codecov.yml
View file

@ -1,2 +1,2 @@
ignore:
- api/**/zz_*.go'
- api/**/zz_*.go

20
config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -524,26 +524,6 @@ spec:
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
paramKind:
description: |-
ParamKind specifies the kind of resources used to parameterize this policy.
If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
properties:
apiVersion:
description: |-
APIVersion is the API group version the resources belong to.
In format of "group/version".
Required.
type: string
kind:
description: |-
Kind is the API kind the resources belong to.
Required.
type: string
type: object
x-kubernetes-map-type: atomic
validationActions:
description: |-
ValidationAction specifies the action to be taken when the matched resource violates the policy.

20
config/install-latest-testing.yaml
View file

@ -49072,26 +49072,6 @@ spec:
x-kubernetes-list-type: atomic
type: object
x-kubernetes-map-type: atomic
paramKind:
description: |-
ParamKind specifies the kind of resources used to parameterize this policy.
If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions.
If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied.
If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null.
properties:
apiVersion:
description: |-
APIVersion is the API group version the resources belong to.
In format of "group/version".
Required.
type: string
kind:
description: |-
Kind is the API kind the resources belong to.
Required.
type: string
type: object
x-kubernetes-map-type: atomic
validationActions:
description: |-
ValidationAction specifies the action to be taken when the matched resource violates the policy.

226
docs/user/crd/index.html
View file

@ -10696,17 +10696,118 @@ ValidatingPolicySpec
<table class="table table-striped">
<tr>
<td>
<code>ValidatingAdmissionPolicySpec</code><br/>
<code>matchConstraints</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validatingadmissionpolicyspec-v1-admissionregistration">
Kubernetes admissionregistration/v1.ValidatingAdmissionPolicySpec
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
Kubernetes admissionregistration/v1.MatchResources
</a>
</em>
</td>
<td>
<p>
(Members of <code>ValidatingAdmissionPolicySpec</code> are embedded into this type.)
</p>
<p>MatchConstraints specifies what resources this policy is designed to validate.
The AdmissionPolicy cares about a request if it matches <em>all</em> Constraints.
However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
Required.</p>
</td>
</tr>
<tr>
<td>
<code>validations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.Validation
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Validations contain CEL expressions which is used to apply the validation.
Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
required.</p>
</td>
</tr>
<tr>
<td>
<code>failurePolicy</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#failurepolicytype-v1-admissionregistration">
Kubernetes admissionregistration/v1.FailurePolicyType
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>failurePolicy defines how to handle failures for the admission policy. Failures can
occur from CEL expression parse errors, type check errors, runtime errors and invalid
or mis-configured policy definitions or bindings.</p>
<p>A policy is invalid if spec.paramKind refers to a non-existent Kind.
A binding is invalid if spec.paramRef.name refers to a non-existent resource.</p>
<p>failurePolicy does not define how validations that evaluate to false are handled.</p>
<p>When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
define how failures are enforced.</p>
<p>Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td>
</tr>
<tr>
<td>
<code>auditAnnotations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.AuditAnnotation
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>auditAnnotations contains CEL expressions which are used to produce audit
annotations for the audit event of the API request.
validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
required.</p>
</td>
</tr>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.MatchCondition
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>MatchConditions is a list of conditions that must be met for a request to be validated.
Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.</p>
<p>If a parameter object is provided, it can be accessed via the <code>params</code> handle in the same
manner as validation expressions.</p>
<p>The exact matching logic is (in order):
1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
3. If any matchCondition evaluates to an error (but none are FALSE):
- If failurePolicy=Fail, reject the request
- If failurePolicy=Ignore, the policy is skipped</p>
</td>
</tr>
<tr>
<td>
<code>variables</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.Variable
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under <code>variables</code> in other expressions of the policy
except MatchConditions because MatchConditions are evaluated before the rest of the policy.</p>
<p>The expression of a variable can refer to other variables defined earlier in the list but not those after.
Thus, Variables must be sorted by the order of first appearance and acyclic.</p>
</td>
</tr>
<tr>
@ -12362,17 +12463,118 @@ string
<tbody>
<tr>
<td>
<code>ValidatingAdmissionPolicySpec</code><br/>
<code>matchConstraints</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validatingadmissionpolicyspec-v1-admissionregistration">
Kubernetes admissionregistration/v1.ValidatingAdmissionPolicySpec
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchresources-v1-admissionregistration">
Kubernetes admissionregistration/v1.MatchResources
</a>
</em>
</td>
<td>
<p>
(Members of <code>ValidatingAdmissionPolicySpec</code> are embedded into this type.)
</p>
<p>MatchConstraints specifies what resources this policy is designed to validate.
The AdmissionPolicy cares about a request if it matches <em>all</em> Constraints.
However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API
ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding.
Required.</p>
</td>
</tr>
<tr>
<td>
<code>validations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.Validation
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Validations contain CEL expressions which is used to apply the validation.
Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
required.</p>
</td>
</tr>
<tr>
<td>
<code>failurePolicy</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#failurepolicytype-v1-admissionregistration">
Kubernetes admissionregistration/v1.FailurePolicyType
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>failurePolicy defines how to handle failures for the admission policy. Failures can
occur from CEL expression parse errors, type check errors, runtime errors and invalid
or mis-configured policy definitions or bindings.</p>
<p>A policy is invalid if spec.paramKind refers to a non-existent Kind.
A binding is invalid if spec.paramRef.name refers to a non-existent resource.</p>
<p>failurePolicy does not define how validations that evaluate to false are handled.</p>
<p>When failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions
define how failures are enforced.</p>
<p>Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td>
</tr>
<tr>
<td>
<code>auditAnnotations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.AuditAnnotation
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>auditAnnotations contains CEL expressions which are used to produce audit
annotations for the audit event of the API request.
validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
required.</p>
</td>
</tr>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.MatchCondition
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>MatchConditions is a list of conditions that must be met for a request to be validated.
Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.</p>
<p>If a parameter object is provided, it can be accessed via the <code>params</code> handle in the same
manner as validation expressions.</p>
<p>The exact matching logic is (in order):
1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
3. If any matchCondition evaluates to an error (but none are FALSE):
- If failurePolicy=Fail, reject the request
- If failurePolicy=Ignore, the policy is skipped</p>
</td>
</tr>
<tr>
<td>
<code>variables</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.Variable
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under <code>variables</code> in other expressions of the policy
except MatchConditions because MatchConditions are evaluated before the rest of the policy.</p>
<p>The expression of a variable can refer to other variables defined earlier in the list but not those after.
Thus, Variables must be sorted by the order of first appearance and acyclic.</p>
</td>
</tr>
<tr>

1
pkg/admissionpolicy/builder.go
View file

@ -97,7 +97,6 @@ func BuildValidatingAdmissionPolicy(
} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
matchResources = *vpol.Spec.MatchConstraints
matchConditions = vpol.Spec.MatchConditions
paramKind = vpol.Spec.ParamKind
validations = vpol.Spec.Validations
auditAnnotations = vpol.Spec.AuditAnnotations
variables = vpol.Spec.Variables

80
pkg/cel/policy/compiler_test.go
View file

@ -25,32 +25,30 @@ func Test_compiler_Compile(t *testing.T) {
Name: "foo",
},
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{
admissionregistrationv1.Create,
admissionregistrationv1.Update,
},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"pods"},
},
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{
admissionregistrationv1.Create,
admissionregistrationv1.Update,
},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"pods"},
},
},
},
},
Variables: []admissionregistrationv1.Variable{{
Name: "environment",
Expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'",
}},
Validations: []admissionregistrationv1.Validation{{
Expression: "variables.environment == true",
}},
},
Variables: []admissionregistrationv1.Variable{{
Name: "environment",
Expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'",
}},
Validations: []admissionregistrationv1.Validation{{
Expression: "variables.environment == true",
}},
},
},
}, {
@ -64,32 +62,30 @@ func Test_compiler_Compile(t *testing.T) {
Name: "foo",
},
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{
admissionregistrationv1.Create,
admissionregistrationv1.Update,
},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"pods"},
},
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{
admissionregistrationv1.Create,
admissionregistrationv1.Update,
},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{""},
APIVersions: []string{"v1"},
Resources: []string{"pods"},
},
},
},
},
Variables: []admissionregistrationv1.Variable{{
Name: "cm",
Expression: "context.GetConfigMap('foo', 'bar')",
}},
Validations: []admissionregistrationv1.Validation{{
Expression: "variables.cm != null",
}},
},
Variables: []admissionregistrationv1.Variable{{
Name: "cm",
Expression: "context.GetConfigMap('foo', 'bar')",
}},
Validations: []admissionregistrationv1.Validation{{
Expression: "variables.cm != null",
}},
},
},
}}

110
pkg/controllers/webhook/validatingpolicy_test.go
View file

@ -22,19 +22,17 @@ func TestBuildWebhookRules(t *testing.T) {
vpols: []*policiesv1alpha1.ValidatingPolicy{
{
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
},
},
@ -66,19 +64,17 @@ func TestBuildWebhookRules(t *testing.T) {
vpols: []*policiesv1alpha1.ValidatingPolicy{
{
Spec: policiesv1alpha1.ValidatingPolicySpec{
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Fail),
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
FailurePolicy: ptr.To(admissionregistrationv1.Fail),
MatchConstraints: &admissionregistrationv1.MatchResources{
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
},
},
@ -116,20 +112,18 @@ func TestBuildWebhookRules(t *testing.T) {
WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
TimeoutSeconds: ptr.To(int32(30)),
},
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
MatchConstraints: &admissionregistrationv1.MatchResources{
MatchPolicy: ptr.To(admissionregistrationv1.Exact),
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
FailurePolicy: ptr.To(admissionregistrationv1.Ignore),
MatchConstraints: &admissionregistrationv1.MatchResources{
MatchPolicy: ptr.To(admissionregistrationv1.Exact),
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
},
},
@ -170,29 +164,27 @@ func TestBuildWebhookRules(t *testing.T) {
WebhookConfiguration: &policiesv1alpha1.WebhookConfiguration{
TimeoutSeconds: ptr.To(int32(20)),
},
ValidatingAdmissionPolicySpec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: ptr.To(admissionregistrationv1.Fail),
MatchConstraints: &admissionregistrationv1.MatchResources{
MatchPolicy: ptr.To(admissionregistrationv1.Exact),
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
FailurePolicy: ptr.To(admissionregistrationv1.Fail),
MatchConstraints: &admissionregistrationv1.MatchResources{
MatchPolicy: ptr.To(admissionregistrationv1.Exact),
ResourceRules: []admissionregistrationv1.NamedRuleWithOperations{
{
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Operations: []admissionregistrationv1.OperationType{admissionregistrationv1.Create},
Rule: admissionregistrationv1.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*"},
Scope: ptr.To(admissionregistrationv1.ScopeType("*")),
},
},
},
},
MatchConditions: []admissionregistrationv1.MatchCondition{
{
Name: "exclude-leases",
Expression: "!(request.resource.group == 'coordination.k8s.io' && request.resource.resource == 'leases')",
},
},
MatchConditions: []admissionregistrationv1.MatchCondition{
{
Name: "exclude-leases",
Expression: "!(request.resource.group == 'coordination.k8s.io' && request.resource.resource == 'leases')",
},
},
},