mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

Add new fields webhookTimeoutSeconds and failurePolicy to the policy Spec (#2456)

Browse source 
* add tag WebhookTimeoutSeconds to policy spec

Signed-off-by: ShutingZhao <shutting06@gmail.com>

* add spec.failurePolicy

Signed-off-by: ShutingZhao <shutting06@gmail.com>
This commit is contained in:
shuting 2021-09-29 20:53:34 -07:00 committed by GitHub
parent 575f3627fc
commit af944b9cd5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 175 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
charts/kyverno/templates/crds.yaml
View file

@ -31,6 +31,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -53,6 +56,12 @@ spec:
background:
description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
items:
@ -956,6 +965,10 @@ spec:
validationFailureAction:
description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime data.
@ -2172,6 +2185,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -2194,6 +2210,12 @@ spec:
background:
description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
items:
@ -3097,6 +3119,10 @@ spec:
validationFailureAction:
description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for this policy. After the timeout passes, the admission request will fail based on the failure policy. The default timeout is 3s, the value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint

19
definitions/crds/kyverno.io_clusterpolicies.yaml
View file

@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -56,6 +59,15 @@ spec:
that are only available in the admission review request (e.g. user
name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the
admission endpoint are handled. Rules within the same policy share
the same failure behavior. Allowed values are Ignore or Fail. Defaults
to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
@ -1538,6 +1550,13 @@ spec:
or allow (audit) the admission review request and report an error
in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for
this policy. After the timeout passes, the admission request will
fail based on the failure policy. The default timeout is 3s, the
value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime data.

19
definitions/crds/kyverno.io_policies.yaml
View file

@ -25,6 +25,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -57,6 +60,15 @@ spec:
that are only available in the admission review request (e.g. user
name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the
admission endpoint are handled. Rules within the same policy share
the same failure behavior. Allowed values are Ignore or Fail. Defaults
to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
@ -1539,6 +1551,13 @@ spec:
or allow (audit) the admission review request and report an error
in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for
this policy. After the timeout passes, the admission request will
fail based on the failure policy. The default timeout is 3s, the
value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime information. Deprecated. Policy

38
definitions/install.yaml
View file

@ -43,6 +43,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -74,6 +77,15 @@ spec:
that are only available in the admission review request (e.g. user
name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the
admission endpoint are handled. Rules within the same policy share
the same failure behavior. Allowed values are Ignore or Fail. Defaults
to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
@ -1556,6 +1568,13 @@ spec:
or allow (audit) the admission review request and report an error
in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for
this policy. After the timeout passes, the admission request will
fail based on the failure policy. The default timeout is 3s, the
value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime data.
@ -3162,6 +3181,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -3194,6 +3216,15 @@ spec:
that are only available in the admission review request (e.g. user
name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the
admission endpoint are handled. Rules within the same policy share
the same failure behavior. Allowed values are Ignore or Fail. Defaults
to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
@ -4676,6 +4707,13 @@ spec:
or allow (audit) the admission review request and report an error
in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for
this policy. After the timeout passes, the admission request will
fail based on the failure policy. The default timeout is 3s, the
value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime information. Deprecated. Policy

38
definitions/install_debug.yaml
View file

@ -30,6 +30,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -61,6 +64,15 @@ spec:
that are only available in the admission review request (e.g. user
name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the
admission endpoint are handled. Rules within the same policy share
the same failure behavior. Allowed values are Ignore or Fail. Defaults
to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
@ -1543,6 +1555,13 @@ spec:
or allow (audit) the admission review request and report an error
in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for
this policy. After the timeout passes, the admission request will
fail based on the failure policy. The default timeout is 3s, the
value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime data.
@ -3121,6 +3140,9 @@ spec:
- jsonPath: .spec.validationFailureAction
name: Action
type: string
- jsonPath: .spec.failurePolicy
name: Failure Policy
type: string
- jsonPath: .status.ready
name: Ready
type: string
@ -3153,6 +3175,15 @@ spec:
that are only available in the admission review request (e.g. user
name).
type: boolean
failurePolicy:
description: FailurePolicy defines how unrecognized errors from the
admission endpoint are handled. Rules within the same policy share
the same failure behavior. Allowed values are Ignore or Fail. Defaults
to Fail.
enum:
- Ignore
- Fail
type: string
rules:
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
@ -4635,6 +4666,13 @@ spec:
or allow (audit) the admission review request and report an error
in a policy report. Optional. The default value is "audit".
type: string
webhookTimeoutSeconds:
description: WebhookTimeoutSeconds specifies the webhook timeout for
this policy. After the timeout passes, the admission request will
fail based on the failure policy. The default timeout is 3s, the
value must be between 1 and 30 seconds. Default to 10 seconds.
format: int32
type: integer
type: object
status:
description: Status contains policy runtime information. Deprecated. Policy

1
pkg/api/kyverno/v1/clusterpolicy_types.go
View file

@ -13,6 +13,7 @@ import (
// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol
// +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy"
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.ready`
type ClusterPolicy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`

24
pkg/api/kyverno/v1/policy_types.go
View file

@ -22,6 +22,7 @@ type PolicyList struct {
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction"
// +kubebuilder:printcolumn:name="Failure Policy",type="string",JSONPath=".spec.failurePolicy"
// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.ready`
// +kubebuilder:resource:shortName=pol
type Policy struct {
@ -44,6 +45,12 @@ type Spec struct {
// each rule can validate, mutate, or generate resources.
Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
// FailurePolicy defines how unrecognized errors from the admission endpoint are handled.
// Rules within the same policy share the same failure behavior.
// Allowed values are Ignore or Fail. Defaults to Fail.
// +optional
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
// ValidationFailureAction controls if a validation policy rule failure should disallow
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional. The default value is "audit".
@ -60,6 +67,12 @@ type Spec struct {
// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
// +optional
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
// WebhookTimeoutSeconds specifies the webhook timeout for this policy.
// After the timeout passes, the admission request will fail based on the failure policy.
// The default timeout is 3s, the value must be between 1 and 30 seconds.
// Default to 10 seconds.
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
}
// Rule defines a validation, mutation, or generation control for matching resources.
@ -113,6 +126,17 @@ type Rule struct {
VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}
// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
// +kubebuilder:validation:Enum=Ignore;Fail
type FailurePolicyType string
const (
// Ignore means that an error calling the webhook is ignored.
Ignore FailurePolicyType = "Ignore"
// Fail means that an error calling the webhook causes the admission to fail.
Fail FailurePolicyType = "Fail"
)
// AnyAllCondition consists of conditions wrapped denoting a logical criteria to be fulfilled.
// AnyConditions get fulfilled when at least one of its sub-conditions passes.
// AllConditions get fulfilled only when all of its sub-conditions pass.

10
pkg/api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -657,6 +657,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.FailurePolicy != nil {
in, out := &in.FailurePolicy, &out.FailurePolicy
*out = new(FailurePolicyType)
**out = **in
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(bool)
@ -667,6 +672,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
*out = new(bool)
**out = **in
}
if in.WebhookTimeoutSeconds != nil {
in, out := &in.WebhookTimeoutSeconds, &out.WebhookTimeoutSeconds
*out = new(int32)
**out = **in
}
return
}