mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: list operators in deny conditions (#1641)

Browse source 
* fix: list operators in deny conditions

Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>

* fix: regenerated YAMLs

Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>
This commit is contained in:
Arsh Sharma 2021-02-26 03:13:35 +00:00 committed by GitHub
parent f438e0d5e6
commit a0d28f0b16
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 57 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
charts/kyverno/crds/crds.yaml
View file

@ -106,7 +106,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -256,7 +256,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -382,6 +382,7 @@ spec:
type: object
name:
description: Name is a label to identify the rule, It must be unique within the policy.
maxLength: 63
type: string
preconditions:
description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation.
@ -392,13 +393,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -422,13 +424,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -1285,7 +1288,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -1435,7 +1438,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -1561,6 +1564,7 @@ spec:
type: object
name:
description: Name is a label to identify the rule, It must be unique within the policy.
maxLength: 63
type: string
preconditions:
description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation.
@ -1571,13 +1575,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -1601,13 +1606,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true

7
definitions/crds/kyverno.io_clusterpolicies.yaml
View file

@ -596,13 +596,15 @@ spec:
for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid
operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of
values. The values can be fixed set or can be variables
@ -634,12 +636,15 @@ spec:
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
Valid operators are Equals, NotEquals, In and
NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or
set of values. The values can be fixed set or

7
definitions/crds/kyverno.io_policies.yaml
View file

@ -597,13 +597,15 @@ spec:
for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid
operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of
values. The values can be fixed set or can be variables
@ -635,12 +637,15 @@ spec:
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
Valid operators are Equals, NotEquals, In and
NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or
set of values. The values can be fixed set or

22
definitions/install.yaml
View file

@ -111,7 +111,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -261,7 +261,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -387,6 +387,7 @@ spec:
type: object
name:
description: Name is a label to identify the rule, It must be unique within the policy.
maxLength: 63
type: string
preconditions:
description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation.
@ -397,13 +398,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -427,13 +429,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -1290,7 +1293,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -1440,7 +1443,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -1566,6 +1569,7 @@ spec:
type: object
name:
description: Name is a label to identify the rule, It must be unique within the policy.
maxLength: 63
type: string
preconditions:
description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation.
@ -1576,13 +1580,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -1606,13 +1611,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true

22
definitions/install_debug.yaml
View file

@ -111,7 +111,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -261,7 +261,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -387,6 +387,7 @@ spec:
type: object
name:
description: Name is a label to identify the rule, It must be unique within the policy.
maxLength: 63
type: string
preconditions:
description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation.
@ -397,13 +398,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -427,13 +429,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -1290,7 +1293,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -1440,7 +1443,7 @@ spec:
description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character).
type: string
namespaceSelector:
description: 'NamespaceSelector is a label selector for namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@ -1566,6 +1569,7 @@ spec:
type: object
name:
description: Name is a label to identify the rule, It must be unique within the policy.
maxLength: 63
type: string
preconditions:
description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation.
@ -1576,13 +1580,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true
@ -1606,13 +1611,14 @@ spec:
description: Key is the context entry (using JMESPath) for conditional rule evaluation.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator is the operation to perform.
description: Operator is the operation to perform. Valid operators are Equals, NotEquals, In and NotIn.
enum:
- Equals
- NotEquals
- In
- NotIn
type: string
x-kubernetes-preserve-unknown-fields: true
value:
description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath.
x-kubernetes-preserve-unknown-fields: true

4
pkg/api/kyverno/v1/policy_types.go
View file

@ -150,7 +150,9 @@ type Condition struct {
// +kubebuilder:validation:XPreserveUnknownFields
Key apiextensions.JSON `json:"key,omitempty" yaml:"key,omitempty"`
// Operator is the operation to perform.
// Operator is the operation to perform. Valid operators
// are Equals, NotEquals, In and NotIn.
// +kubebuilder:validation:XPreserveUnknownFields
Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
// Value is the conditional value, or set of values. The values can be fixed set