From a0d28f0b16d2f9a481940bc38852e05256be4570 Mon Sep 17 00:00:00 2001 From: Arsh Sharma <56963264+RinkiyaKeDad@users.noreply.github.com> Date: Fri, 26 Feb 2021 03:13:35 +0000 Subject: [PATCH] fix: list operators in deny conditions (#1641) * fix: list operators in deny conditions Signed-off-by: Arsh Sharma * fix: regenerated YAMLs Signed-off-by: Arsh Sharma --- charts/kyverno/crds/crds.yaml | 22 ++++++++++++------- .../crds/kyverno.io_clusterpolicies.yaml | 7 +++++- definitions/crds/kyverno.io_policies.yaml | 7 +++++- definitions/install.yaml | 22 ++++++++++++------- definitions/install_debug.yaml | 22 ++++++++++++------- pkg/api/kyverno/v1/policy_types.go | 4 +++- 6 files changed, 57 insertions(+), 27 deletions(-) diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index b748395353..12a616d8f3 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -106,7 +106,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -256,7 +256,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -382,6 +382,7 @@ spec: type: object name: description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 type: string preconditions: description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. @@ -392,13 +393,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -422,13 +424,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -1285,7 +1288,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1435,7 +1438,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1561,6 +1564,7 @@ spec: type: object name: description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 type: string preconditions: description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. @@ -1571,13 +1575,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -1601,13 +1606,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml index bab7108f0f..2b1cdfd367 100644 --- a/definitions/crds/kyverno.io_clusterpolicies.yaml +++ b/definitions/crds/kyverno.io_clusterpolicies.yaml @@ -596,13 +596,15 @@ spec: for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid + operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables @@ -634,12 +636,15 @@ spec: x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. + Valid operators are Equals, NotEquals, In and + NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml index bd66fa4062..0ea34db6ad 100644 --- a/definitions/crds/kyverno.io_policies.yaml +++ b/definitions/crds/kyverno.io_policies.yaml @@ -597,13 +597,15 @@ spec: for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid + operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables @@ -635,12 +637,15 @@ spec: x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. + Valid operators are Equals, NotEquals, In and + NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or diff --git a/definitions/install.yaml b/definitions/install.yaml index 48500f39ff..f7998542d9 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -111,7 +111,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -261,7 +261,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -387,6 +387,7 @@ spec: type: object name: description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 type: string preconditions: description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. @@ -397,13 +398,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -427,13 +429,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -1290,7 +1293,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1440,7 +1443,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1566,6 +1569,7 @@ spec: type: object name: description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 type: string preconditions: description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. @@ -1576,13 +1580,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -1606,13 +1611,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 7531296a0f..dee1ce58e9 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -111,7 +111,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -261,7 +261,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -387,6 +387,7 @@ spec: type: object name: description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 type: string preconditions: description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. @@ -397,13 +398,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -427,13 +429,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -1290,7 +1293,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1440,7 +1443,7 @@ spec: description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaceSelector: - description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. @@ -1566,6 +1569,7 @@ spec: type: object name: description: Name is a label to identify the rule, It must be unique within the policy. + maxLength: 63 type: string preconditions: description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. @@ -1576,13 +1580,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true @@ -1606,13 +1611,14 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: - description: Operator is the operation to perform. + description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn. enum: - Equals - NotEquals - In - NotIn type: string + x-kubernetes-preserve-unknown-fields: true value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 98c8742d1c..e4d03de004 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -150,7 +150,9 @@ type Condition struct { // +kubebuilder:validation:XPreserveUnknownFields Key apiextensions.JSON `json:"key,omitempty" yaml:"key,omitempty"` - // Operator is the operation to perform. + // Operator is the operation to perform. Valid operators + // are Equals, NotEquals, In and NotIn. + // +kubebuilder:validation:XPreserveUnknownFields Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"` // Value is the conditional value, or set of values. The values can be fixed set