mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00
Code Activity

feat: migrate webhookTimeoutSeconds and failurePolicy (#10515)

Browse source 
* feat: migrate webhookTimeoutSeconds and failurePolicy

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix lint issue

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-06-20 20:04:37 +07:00 committed by GitHub
parent 692014f21c
commit abe2a2310b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 688 additions and 482 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
api/kyverno/v1/common_types.go
View file

@ -53,7 +53,20 @@ const (
// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
type WebhookConfiguration struct {
// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
// Rules within the same policy share the same failure behavior.
// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
// Allowed values are Ignore or Fail. Defaults to Fail.
// +optional
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
// TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" yaml:"timeoutSeconds,omitempty"`
// MatchCondition configures admission webhook matchConditions.
// Requires Kubernetes 1.27 or later.
// +optional
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
}

42
api/kyverno/v1/spec_types.go
View file

@ -60,11 +60,7 @@ type Spec struct {
// +optional
ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
// Rules within the same policy share the same failure behavior.
// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
// Allowed values are Ignore or Fail. Defaults to Fail.
// +optional
// Deprecated, use failurePolicy under the webhookConfiguration instead.
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
// ValidationFailureAction defines if a validation policy rule violation should block
@ -97,9 +93,7 @@ type Spec struct {
// Deprecated.
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
@ -121,7 +115,6 @@ type Spec struct {
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
// Requires Kubernetes 1.27 or later.
// +optional
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
}
@ -274,10 +267,22 @@ func (s *Spec) IsGenerateExisting() bool {
func (s *Spec) GetFailurePolicy(ctx context.Context) FailurePolicyType {
if toggle.FromContext(ctx).ForceFailurePolicyIgnore() {
return Ignore
} else if s.FailurePolicy == nil {
return Fail
} else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
return *s.WebhookConfiguration.FailurePolicy
} else if s.FailurePolicy != nil {
return *s.FailurePolicy
}
return *s.FailurePolicy
return Fail
}
func (s *Spec) GetWebhookTimeoutSeconds() *int32 {
if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
return s.WebhookConfiguration.TimeoutSeconds
}
if s.WebhookTimeoutSeconds != nil {
return s.WebhookTimeoutSeconds
}
return nil
}
// GetMatchConditions returns matchConditions in webhookConfiguration
@ -288,7 +293,7 @@ func (s *Spec) GetMatchConditions() []admissionregistrationv1.MatchCondition {
return nil
}
// GetFailurePolicy returns the failure policy to be applied
// GetApplyRules returns the apply rules type
func (s *Spec) GetApplyRules() ApplyRulesType {
if s.ApplyRules == nil {
return ApplyAll
@ -320,6 +325,14 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
}
func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead"))
}
if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
}
for _, rule := range s.Rules {
if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil {
if s.GenerateExistingOnPolicyUpdate != nil {
@ -364,6 +377,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin
if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) {
errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
}
if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) {
errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
}
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))

10
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -1690,6 +1690,16 @@ func (in *Variable) DeepCopy() *Variable {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
*out = *in
if in.FailurePolicy != nil {
in, out := &in.FailurePolicy, &out.FailurePolicy
*out = new(FailurePolicyType)
**out = **in
}
if in.TimeoutSeconds != nil {
in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
*out = new(int32)
**out = **in
}
if in.MatchConditions != nil {
in, out := &in.MatchConditions, &out.MatchConditions
*out = make([]admissionregistrationv1.MatchCondition, len(*in))

8
api/kyverno/v2beta1/common_types.go
View file

@ -2,18 +2,10 @@ package v2beta1
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
)
// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
type WebhookConfiguration struct {
// MatchCondition configures admission webhook matchConditions.
// +optional
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
}
// Validation defines checks to be performed on matching resources.
type Validation struct {
// Message specifies a custom message to be displayed on failure.

49
api/kyverno/v2beta1/spec_types.go
View file

@ -1,9 +1,11 @@
package v2beta1
import (
"context"
"fmt"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/toggle"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
)
@ -21,10 +23,7 @@ type Spec struct {
// +optional
ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
// Rules within the same policy share the same failure behavior.
// Allowed values are Ignore or Fail. Defaults to Fail.
// +optional
// Deprecated, use failurePolicy under the webhookConfiguration instead.
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
// ValidationFailureAction defines if a validation policy rule violation should block
@ -57,9 +56,7 @@ type Spec struct {
// Deprecated.
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
@ -80,9 +77,8 @@ type Spec struct {
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
// Requires Kubernetes 1.27 or later.
// +optional
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
}
func (s *Spec) CustomWebhookConfiguration() bool {
@ -237,14 +233,28 @@ func (s *Spec) IsGenerateExisting() bool {
}
// GetFailurePolicy returns the failure policy to be applied
func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType {
if s.FailurePolicy == nil {
return kyvernov1.Fail
func (s *Spec) GetFailurePolicy(ctx context.Context) kyvernov1.FailurePolicyType {
if toggle.FromContext(ctx).ForceFailurePolicyIgnore() {
return kyvernov1.Ignore
} else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
return *s.WebhookConfiguration.FailurePolicy
} else if s.FailurePolicy != nil {
return *s.FailurePolicy
}
return *s.FailurePolicy
return kyvernov1.Fail
}
// GetFailurePolicy returns the failure policy to be applied
func (s *Spec) GetWebhookTimeoutSeconds() *int32 {
if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
return s.WebhookConfiguration.TimeoutSeconds
}
if s.WebhookTimeoutSeconds != nil {
return s.WebhookTimeoutSeconds
}
return nil
}
// GetApplyRules returns the apply rules type
func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType {
if s.ApplyRules == nil {
return kyvernov1.ApplyAll
@ -275,6 +285,14 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
}
func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead"))
}
if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
}
for _, rule := range s.Rules {
if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil {
if s.GenerateExistingOnPolicyUpdate != nil {
@ -302,6 +320,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin
if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) {
errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
}
if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) {
errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
}
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))

23
api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

@ -812,7 +812,7 @@ func (in *Spec) DeepCopyInto(out *Spec) {
}
if in.WebhookConfiguration != nil {
in, out := &in.WebhookConfiguration, &out.WebhookConfiguration
*out = new(WebhookConfiguration)
*out = new(v1.WebhookConfiguration)
(*in).DeepCopyInto(*out)
}
return
@ -880,24 +880,3 @@ func (in *Validation) DeepCopy() *Validation {
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
*out = *in
if in.MatchConditions != nil {
in, out := &in.MatchConditions, &out.MatchConditions
*out = make([]admissionregistrationv1.MatchCondition, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.
func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration {
if in == nil {
return nil
}
out := new(WebhookConfiguration)
in.DeepCopyInto(out)
return out
}

77
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -113,11 +113,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -4297,12 +4294,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -4343,12 +4351,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -8696,10 +8709,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -12620,12 +12631,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -12666,12 +12688,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

77
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -114,11 +114,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -4298,12 +4295,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -4344,12 +4352,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -8699,10 +8712,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -12623,12 +12634,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -12669,12 +12691,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

77
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -107,11 +107,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -4291,12 +4288,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -4337,12 +4345,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -8690,10 +8703,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -12614,12 +12625,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -12660,12 +12682,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

77
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -108,11 +108,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -4292,12 +4289,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -4338,12 +4346,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -8693,10 +8706,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -12617,12 +12628,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -12663,12 +12685,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

77
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -107,11 +107,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -4291,12 +4288,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -4337,12 +4345,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -8690,10 +8703,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -12614,12 +12625,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -12660,12 +12682,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

77
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -108,11 +108,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -4292,12 +4289,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -4338,12 +4346,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -8693,10 +8706,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -12617,12 +12628,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -12663,12 +12685,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

154
config/install-latest-testing.yaml
View file

@ -5314,11 +5314,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -9498,12 +9495,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -9544,12 +9552,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -13897,10 +13910,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -17821,12 +17832,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -17867,12 +17889,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -22502,11 +22529,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -26686,12 +26710,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -26732,12 +26767,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object
@ -31087,10 +31127,8 @@ spec:
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.
description: Deprecated, use failurePolicy under the webhookConfiguration
instead.
enum:
- Ignore
- Fail
@ -35011,12 +35049,23 @@ spec:
type: object
type: array
webhookConfiguration:
description: |-
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.
description: WebhookConfiguration specifies the custom configuration
for Kubernetes admission webhookconfiguration.
properties:
failurePolicy:
description: |-
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
matchConditions:
description: MatchCondition configures admission webhook matchConditions.
description: |-
MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
@ -35057,12 +35106,17 @@ spec:
- name
type: object
type: array
timeoutSeconds:
description: |-
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
format: int32
type: integer
type: object
webhookTimeoutSeconds:
description: |-
WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
instead.
format: int32
type: integer
type: object

152
docs/user/crd/index.html
View file

@ -147,11 +147,7 @@ FailurePolicyType
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -232,9 +228,7 @@ int32
</em>
</td>
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -298,8 +292,7 @@ WebhookConfiguration
</td>
<td>
<em>(Optional)</em>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
</td>
</tr>
</table>
@ -422,11 +415,7 @@ FailurePolicyType
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -507,9 +496,7 @@ int32
</em>
</td>
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -573,8 +560,7 @@ WebhookConfiguration
</td>
<td>
<em>(Optional)</em>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
</td>
</tr>
</table>
@ -1631,6 +1617,7 @@ string
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.Spec">Spec</a>,
<a href="#kyverno.io/v1.WebhookConfiguration">WebhookConfiguration</a>,
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
</p>
<p>
@ -3951,11 +3938,7 @@ FailurePolicyType
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -4036,9 +4019,7 @@ int32
</em>
</td>
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -4102,8 +4083,7 @@ WebhookConfiguration
</td>
<td>
<em>(Optional)</em>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
</td>
</tr>
</tbody>
@ -4641,7 +4621,8 @@ expression evaluates to nil</p>
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.Spec">Spec</a>)
<a href="#kyverno.io/v1.Spec">Spec</a>,
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
</p>
<p>
<p>WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.</p>
@ -4656,6 +4637,36 @@ expression evaluates to nil</p>
<tbody>
<tr>
<td>
<code>failurePolicy</code><br/>
<em>
<a href="#kyverno.io/v1.FailurePolicyType">
FailurePolicyType
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td>
</tr>
<tr>
<td>
<code>timeoutSeconds</code><br/>
<em>
int32
</em>
</td>
<td>
<p>TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
</td>
</tr>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
@ -4665,7 +4676,8 @@ expression evaluates to nil</p>
</td>
<td>
<em>(Optional)</em>
<p>MatchCondition configures admission webhook matchConditions.</p>
<p>MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.</p>
</td>
</tr>
</tbody>
@ -7350,10 +7362,7 @@ FailurePolicyType
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -7434,9 +7443,7 @@ int32
</em>
</td>
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -7492,15 +7499,14 @@ Defaults to &ldquo;false&rdquo; if not specified.</p>
<td>
<code>webhookConfiguration</code><br/>
<em>
<a href="#kyverno.io/v2beta1.WebhookConfiguration">
<a href="#kyverno.io/v1.WebhookConfiguration">
WebhookConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
</td>
</tr>
</table>
@ -7623,10 +7629,7 @@ FailurePolicyType
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -7707,9 +7710,7 @@ int32
</em>
</td>
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -7765,15 +7766,14 @@ Defaults to &ldquo;false&rdquo; if not specified.</p>
<td>
<code>webhookConfiguration</code><br/>
<em>
<a href="#kyverno.io/v2beta1.WebhookConfiguration">
<a href="#kyverno.io/v1.WebhookConfiguration">
WebhookConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
</td>
</tr>
</table>
@ -9016,10 +9016,7 @@ FailurePolicyType
</em>
</td>
<td>
<em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -9100,9 +9097,7 @@ int32
</em>
</td>
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
</td>
</tr>
<tr>
@ -9158,15 +9153,14 @@ Defaults to &ldquo;false&rdquo; if not specified.</p>
<td>
<code>webhookConfiguration</code><br/>
<em>
<a href="#kyverno.io/v2beta1.WebhookConfiguration">
<a href="#kyverno.io/v1.WebhookConfiguration">
WebhookConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
</td>
</tr>
</tbody>
@ -9304,40 +9298,6 @@ CEL
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2beta1.WebhookConfiguration">WebhookConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
</p>
<p>
<p>WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>matchConditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1-admissionregistration">
[]Kubernetes admissionregistration/v1.MatchCondition
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>MatchCondition configures admission webhook matchConditions.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h2 id="reports.kyverno.io/v1">reports.kyverno.io/v1</h2>
<p>
</p>

111
docs/user/crd/kyverno.v1.html
View file

@ -204,6 +204,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr>
<td><code>failurePolicy</code>
<span style="color:blue;"> *</span>
</br>
@ -218,10 +220,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
@ -398,9 +397,7 @@ uses variables that are only available in the admission review request (e.g. use
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
@ -539,8 +536,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
@ -765,6 +761,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr>
<td><code>failurePolicy</code>
<span style="color:blue;"> *</span>
</br>
@ -779,10 +777,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
@ -959,9 +954,7 @@ uses variables that are only available in the admission review request (e.g. use
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
@ -1100,8 +1093,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
@ -3310,7 +3302,8 @@ Dryrun requires additional permissions. See config/dryrun/dryrun_rbac.yaml</p>
<p>
(<em>Appears in:</em>
<a href="#kyverno-io-v1-Spec">Spec</a>)
<a href="#kyverno-io-v1-Spec">Spec</a>,
<a href="#kyverno-io-v1-WebhookConfiguration">WebhookConfiguration</a>)
</p>
@ -7803,6 +7796,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr>
<td><code>failurePolicy</code>
<span style="color:blue;"> *</span>
</br>
@ -7817,10 +7812,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
@ -7997,9 +7989,7 @@ uses variables that are only available in the admission review request (e.g. use
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
@ -8138,8 +8128,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
@ -9271,6 +9260,69 @@ expression evaluates to nil</p>
<tr>
<td><code>failurePolicy</code>
</br>
<a href="#kyverno-io-v1-FailurePolicyType">
<span style="font-family: monospace">FailurePolicyType</span>
</a>
</td>
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td>
</tr>
<tr>
<td><code>timeoutSeconds</code>
<span style="color:blue;"> *</span>
</br>
<span style="font-family: monospace">int32</span>
</td>
<td>
<p>TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
</td>
</tr>
<tr>
<td><code>matchConditions</code>
@ -9286,7 +9338,8 @@ expression evaluates to nil</p>
<td>
<p>MatchCondition configures admission webhook matchConditions.</p>
<p>MatchCondition configures admission webhook matchConditions.
Requires Kubernetes 1.27 or later.</p>

108
docs/user/crd/kyverno.v2beta1.html
View file

@ -804,6 +804,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr>
<td><code>failurePolicy</code>
<span style="color:blue;"> *</span>
</br>
@ -818,9 +820,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
@ -997,9 +997,7 @@ uses variables that are only available in the admission review request (e.g. use
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
@ -1131,7 +1129,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<a href="#kyverno-io-v2beta1-WebhookConfiguration">
<a href="#kyverno-io-v1-WebhookConfiguration">
<span style="font-family: monospace">WebhookConfiguration</span>
</a>
@ -1140,8 +1138,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
@ -1366,6 +1363,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr>
<td><code>failurePolicy</code>
<span style="color:blue;"> *</span>
</br>
@ -1380,9 +1379,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
@ -1559,9 +1556,7 @@ uses variables that are only available in the admission review request (e.g. use
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
@ -1693,7 +1688,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<a href="#kyverno-io-v2beta1-WebhookConfiguration">
<a href="#kyverno-io-v1-WebhookConfiguration">
<span style="font-family: monospace">WebhookConfiguration</span>
</a>
@ -1702,8 +1697,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
@ -4140,6 +4134,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr>
<td><code>failurePolicy</code>
<span style="color:blue;"> *</span>
</br>
@ -4154,9 +4150,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior.
Allowed values are Ignore or Fail. Defaults to Fail.</p>
<p>Deprecated, use failurePolicy under the webhookConfiguration instead.</p>
@ -4333,9 +4327,7 @@ uses variables that are only available in the admission review request (e.g. use
<td>
<p>WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
After the configured time expires, the admission request may fail, or may simply ignore the policy results,
based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.</p>
<p>Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.</p>
@ -4467,7 +4459,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<a href="#kyverno-io-v2beta1-WebhookConfiguration">
<a href="#kyverno-io-v1-WebhookConfiguration">
<span style="font-family: monospace">WebhookConfiguration</span>
</a>
@ -4476,8 +4468,7 @@ Defaults to &quot;false&quot; if not specified.</p>
<td>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
Requires Kubernetes 1.27 or later.</p>
<p>WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.</p>
@ -4753,69 +4744,6 @@ by specifying exclusions for Pod Security Standards controls.</p>
</tbody>
</table>
<H3 id="kyverno-io-v2beta1-WebhookConfiguration">WebhookConfiguration
</H3>
<p>
(<em>Appears in:</em>
<a href="#kyverno-io-v2beta1-Spec">Spec</a>)
</p>
<p><p>WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>matchConditions</code>
</br>
<span style="font-family: monospace">[]admissionregistration/v1.MatchCondition</span>
</td>
<td>
<p>MatchCondition configures admission webhook matchConditions.</p>
</td>
</tr>
</tbody>
</table>

25
pkg/client/applyconfigurations/kyverno/v1/webhookconfiguration.go
View file

@ -19,13 +19,16 @@ limitations under the License.
package v1
import (
v1 "k8s.io/api/admissionregistration/v1"
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
// WebhookConfigurationApplyConfiguration represents an declarative configuration of the WebhookConfiguration type for use
// with apply.
type WebhookConfigurationApplyConfiguration struct {
MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"`
FailurePolicy *v1.FailurePolicyType `json:"failurePolicy,omitempty"`
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
}
// WebhookConfigurationApplyConfiguration constructs an declarative configuration of the WebhookConfiguration type for use with
@ -34,10 +37,26 @@ func WebhookConfiguration() *WebhookConfigurationApplyConfiguration {
return &WebhookConfigurationApplyConfiguration{}
}
// WithFailurePolicy sets the FailurePolicy field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the FailurePolicy field is set to the value of the last call.
func (b *WebhookConfigurationApplyConfiguration) WithFailurePolicy(value v1.FailurePolicyType) *WebhookConfigurationApplyConfiguration {
b.FailurePolicy = &value
return b
}
// WithTimeoutSeconds sets the TimeoutSeconds field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the TimeoutSeconds field is set to the value of the last call.
func (b *WebhookConfigurationApplyConfiguration) WithTimeoutSeconds(value int32) *WebhookConfigurationApplyConfiguration {
b.TimeoutSeconds = &value
return b
}
// WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the MatchConditions field.
func (b *WebhookConfigurationApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *WebhookConfigurationApplyConfiguration {
func (b *WebhookConfigurationApplyConfiguration) WithMatchConditions(values ...admissionregistrationv1.MatchCondition) *WebhookConfigurationApplyConfiguration {
for i := range values {
b.MatchConditions = append(b.MatchConditions, values[i])
}

4
pkg/client/applyconfigurations/kyverno/v2beta1/spec.go
View file

@ -39,7 +39,7 @@ type SpecApplyConfiguration struct {
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
GenerateExisting *bool `json:"generateExisting,omitempty"`
UseServerSideApply *bool `json:"useServerSideApply,omitempty"`
WebhookConfiguration *WebhookConfigurationApplyConfiguration `json:"webhookConfiguration,omitempty"`
WebhookConfiguration *kyvernov1.WebhookConfigurationApplyConfiguration `json:"webhookConfiguration,omitempty"`
}
// SpecApplyConfiguration constructs an declarative configuration of the Spec type for use with
@ -165,7 +165,7 @@ func (b *SpecApplyConfiguration) WithUseServerSideApply(value bool) *SpecApplyCo
// WithWebhookConfiguration sets the WebhookConfiguration field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the WebhookConfiguration field is set to the value of the last call.
func (b *SpecApplyConfiguration) WithWebhookConfiguration(value *WebhookConfigurationApplyConfiguration) *SpecApplyConfiguration {
func (b *SpecApplyConfiguration) WithWebhookConfiguration(value *kyvernov1.WebhookConfigurationApplyConfiguration) *SpecApplyConfiguration {
b.WebhookConfiguration = value
return b
}

2
pkg/client/applyconfigurations/utils.go
View file

@ -243,8 +243,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov2beta1.SpecApplyConfiguration{}
case v2beta1.SchemeGroupVersion.WithKind("Validation"):
return &kyvernov2beta1.ValidationApplyConfiguration{}
case v2beta1.SchemeGroupVersion.WithKind("WebhookConfiguration"):
return &kyvernov2beta1.WebhookConfigurationApplyConfiguration{}
// Group=reports.kyverno.io, Version=v1
case reportsv1.SchemeGroupVersion.WithKind("ClusterEphemeralReport"):

7
pkg/controllers/webhook/controller.go
View file

@ -1030,9 +1030,10 @@ func (c *controller) mergeWebhook(dst *webhook, policy kyvernov1.PolicyInterface
}
spec := policy.GetSpec()
if spec.WebhookTimeoutSeconds != nil {
if dst.maxWebhookTimeout < *spec.WebhookTimeoutSeconds {
dst.maxWebhookTimeout = *spec.WebhookTimeoutSeconds
webhookTimeoutSeconds := spec.GetWebhookTimeoutSeconds()
if webhookTimeoutSeconds != nil {
if dst.maxWebhookTimeout < *webhookTimeoutSeconds {
dst.maxWebhookTimeout = *webhookTimeoutSeconds
}
}
}