From b61a1f3d181d5e7d3f5992fa21a6ffc281773b79 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 22 Dec 2023 12:13:58 +0200 Subject: [PATCH] fix: set v2beta1 of exceptions the storage version (#9254) Signed-off-by: Mariam Fahmy Co-authored-by: shuting --- api/kyverno/v2/policy_exception_types.go | 1 - api/kyverno/v2beta1/policy_exception_types.go | 2 +- charts/kyverno/charts/crds/templates/crds.yaml | 7 +++---- .../commands/create/exception/command_test.go | 4 ++-- .../commands/create/templates/exception.yaml | 2 +- .../data/crds/kyverno.io_policyexceptions.yaml | 7 +++---- cmd/cli/kubectl-kyverno/exception/load.go | 6 +++--- cmd/internal/engine.go | 2 +- config/crds/kyverno.io_policyexceptions.yaml | 7 +++---- config/install-latest-testing.yaml | 7 +++---- pkg/engine/api/ruleresponse.go | 8 ++++---- pkg/engine/api/selector.go | 4 ++-- pkg/engine/exceptions.go | 6 +++--- pkg/engine/handlers/handler.go | 4 ++-- pkg/engine/handlers/mutation/mutate_existing.go | 4 ++-- pkg/engine/handlers/mutation/mutate_image.go | 4 ++-- pkg/engine/handlers/mutation/mutate_resource.go | 4 ++-- pkg/engine/handlers/validation/validate_cel.go | 4 ++-- pkg/engine/handlers/validation/validate_image.go | 4 ++-- pkg/engine/handlers/validation/validate_manifest.go | 4 ++-- pkg/engine/handlers/validation/validate_pss.go | 4 ++-- pkg/engine/handlers/validation/validate_resource.go | 4 ++-- pkg/engine/utils/exceptions.go | 6 +++--- pkg/utils/admission/exception.go | 10 +++++----- pkg/validation/exception/validate.go | 4 ++-- pkg/validation/exception/validate_test.go | 8 ++++---- pkg/webhooks/resource/fake.go | 2 +- .../exceptions/allows-rejects-creation/exception.yaml | 2 +- .../exceptions/applies-to-delete/exception.yaml | 2 +- .../background-mode/standard/exception-allowed.yaml | 2 +- .../background-mode/standard/exception-rejected.yaml | 2 +- .../chainsaw/exceptions/conditions/exception.yaml | 2 +- .../events-creation/chainsaw-step-02-apply-2.yaml | 2 +- .../exceptions/only-for-specific-user/exception.yaml | 2 +- .../chainsaw/exceptions/with-wildcard/exception.yaml | 2 +- .../policy-exceptions-disabled/policy_exception.yaml | 2 +- .../reports/admission/exception/exception.yaml | 2 +- .../reports/background/exception/exception.yaml | 2 +- .../chainsaw-step-01-apply-1-4.yaml | 2 +- .../chainsaw-step-01-assert-1-3.yaml | 2 +- 40 files changed, 75 insertions(+), 80 deletions(-) diff --git a/api/kyverno/v2/policy_exception_types.go b/api/kyverno/v2/policy_exception_types.go index 179be22bab..b93813e12e 100644 --- a/api/kyverno/v2/policy_exception_types.go +++ b/api/kyverno/v2/policy_exception_types.go @@ -26,7 +26,6 @@ import ( // +kubebuilder:object:root=true // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:shortName=polex,categories=kyverno -// +kubebuilder:storageversion // PolicyException declares resources to be excluded from specified policies. type PolicyException struct { diff --git a/api/kyverno/v2beta1/policy_exception_types.go b/api/kyverno/v2beta1/policy_exception_types.go index 8b99b6b5fc..b6591cfb10 100644 --- a/api/kyverno/v2beta1/policy_exception_types.go +++ b/api/kyverno/v2beta1/policy_exception_types.go @@ -25,7 +25,7 @@ import ( // +kubebuilder:object:root=true // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:resource:shortName=polex,categories=kyverno -// +kubebuilder:deprecatedversion +// +kubebuilder:storageversion // PolicyException declares resources to be excluded from specified policies. type PolicyException struct { diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml index 9e40a96d03..f5e7e02f3a 100644 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ b/charts/kyverno/charts/crds/templates/crds.yaml @@ -42425,7 +42425,7 @@ spec: - spec type: object served: true - storage: true + storage: false - name: v2alpha1 schema: openAPIV3Schema: @@ -43017,8 +43017,7 @@ spec: type: object served: false storage: false - - deprecated: true - name: v2beta1 + - name: v2beta1 schema: openAPIV3Schema: description: PolicyException declares resources to be excluded from specified @@ -43608,7 +43607,7 @@ spec: - spec type: object served: true - storage: false + storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go b/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go index d4f7143a57..e177c733d9 100644 --- a/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go +++ b/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go @@ -40,7 +40,7 @@ func TestCommandWithAny(t *testing.T) { out, err := io.ReadAll(b) assert.NoError(t, err) expected := ` -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: test @@ -72,7 +72,7 @@ func TestCommandWithAll(t *testing.T) { out, err := io.ReadAll(b) assert.NoError(t, err) expected := ` -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: test diff --git a/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml b/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml index 2e4f76188e..bdb65cc3a0 100644 --- a/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml +++ b/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: {{ .Name }} diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml index 44acb9b8be..0316731972 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml @@ -608,7 +608,7 @@ spec: - spec type: object served: true - storage: true + storage: false - name: v2alpha1 schema: openAPIV3Schema: @@ -1200,8 +1200,7 @@ spec: type: object served: false storage: false - - deprecated: true - name: v2beta1 + - name: v2beta1 schema: openAPIV3Schema: description: PolicyException declares resources to be excluded from specified @@ -1791,4 +1790,4 @@ spec: - spec type: object served: true - storage: false + storage: true diff --git a/cmd/cli/kubectl-kyverno/exception/load.go b/cmd/cli/kubectl-kyverno/exception/load.go index 8fd047fdd6..641f1b5083 100644 --- a/cmd/cli/kubectl-kyverno/exception/load.go +++ b/cmd/cli/kubectl-kyverno/exception/load.go @@ -19,12 +19,12 @@ var ( exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException") ) -func Load(content []byte) ([]*kyvernov2.PolicyException, error) { +func Load(content []byte) ([]*kyvernov2beta1.PolicyException, error) { documents, err := yamlutils.SplitDocuments(content) if err != nil { return nil, err } - var exceptions []*kyvernov2.PolicyException + var exceptions []*kyvernov2beta1.PolicyException for _, document := range documents { gvk, untyped, err := factory.Load(document) if err != nil { @@ -32,7 +32,7 @@ func Load(content []byte) ([]*kyvernov2.PolicyException, error) { } switch gvk { case exceptionV2beta1, exceptionV2: - exception, err := convert.To[kyvernov2.PolicyException](untyped) + exception, err := convert.To[kyvernov2beta1.PolicyException](untyped) if err != nil { return nil, err } diff --git a/cmd/internal/engine.go b/cmd/internal/engine.go index 812c223821..0e451e606b 100644 --- a/cmd/internal/engine.go +++ b/cmd/internal/engine.go @@ -65,7 +65,7 @@ func NewExceptionSelector( var exceptionsLister engineapi.PolicyExceptionSelector if enablePolicyException { factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod) - lister := factory.Kyverno().V2().PolicyExceptions().Lister() + lister := factory.Kyverno().V2beta1().PolicyExceptions().Lister() if exceptionNamespace != "" { exceptionsLister = lister.PolicyExceptions(exceptionNamespace) } else { diff --git a/config/crds/kyverno.io_policyexceptions.yaml b/config/crds/kyverno.io_policyexceptions.yaml index 44acb9b8be..0316731972 100644 --- a/config/crds/kyverno.io_policyexceptions.yaml +++ b/config/crds/kyverno.io_policyexceptions.yaml @@ -608,7 +608,7 @@ spec: - spec type: object served: true - storage: true + storage: false - name: v2alpha1 schema: openAPIV3Schema: @@ -1200,8 +1200,7 @@ spec: type: object served: false storage: false - - deprecated: true - name: v2beta1 + - name: v2beta1 schema: openAPIV3Schema: description: PolicyException declares resources to be excluded from specified @@ -1791,4 +1790,4 @@ spec: - spec type: object served: true - storage: false + storage: true diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 1486109fd7..a7380645c4 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -42648,7 +42648,7 @@ spec: - spec type: object served: true - storage: true + storage: false - name: v2alpha1 schema: openAPIV3Schema: @@ -43240,8 +43240,7 @@ spec: type: object served: false storage: false - - deprecated: true - name: v2beta1 + - name: v2beta1 schema: openAPIV3Schema: description: PolicyException declares resources to be excluded from specified @@ -43831,7 +43830,7 @@ spec: - spec type: object served: true - storage: false + storage: true --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/pkg/engine/api/ruleresponse.go b/pkg/engine/api/ruleresponse.go index f26e80fe38..27222ee483 100644 --- a/pkg/engine/api/ruleresponse.go +++ b/pkg/engine/api/ruleresponse.go @@ -3,7 +3,7 @@ package api import ( "fmt" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" pssutils "github.com/kyverno/kyverno/pkg/pss/utils" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -43,7 +43,7 @@ type RuleResponse struct { // podSecurityChecks contains pod security checks (only if this is a pod security rule) podSecurityChecks *PodSecurityChecks // exception is the exception applied (if any) - exception *kyvernov2.PolicyException + exception *kyvernov2beta1.PolicyException } func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse { @@ -78,7 +78,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse { return NewRuleResponse(name, ruleType, msg, RuleStatusFail) } -func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse { +func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse { r.exception = exception return &r } @@ -109,7 +109,7 @@ func (r *RuleResponse) Stats() ExecutionStats { return r.stats } -func (r *RuleResponse) Exception() *kyvernov2.PolicyException { +func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException { return r.exception } diff --git a/pkg/engine/api/selector.go b/pkg/engine/api/selector.go index dc409e31db..44435680a9 100644 --- a/pkg/engine/api/selector.go +++ b/pkg/engine/api/selector.go @@ -1,7 +1,7 @@ package api import ( - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "k8s.io/apimachinery/pkg/labels" ) @@ -14,4 +14,4 @@ type NamespacedResourceSelector[T any] interface { } // PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions -type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2.PolicyException] +type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException] diff --git a/pkg/engine/exceptions.go b/pkg/engine/exceptions.go index a05b793e40..07cbd17357 100644 --- a/pkg/engine/exceptions.go +++ b/pkg/engine/exceptions.go @@ -4,7 +4,7 @@ import ( "fmt" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" ) @@ -13,8 +13,8 @@ import ( func (e *engine) GetPolicyExceptions( policy kyvernov1.PolicyInterface, rule string, -) ([]kyvernov2.PolicyException, error) { - var exceptions []kyvernov2.PolicyException +) ([]kyvernov2beta1.PolicyException, error) { + var exceptions []kyvernov2beta1.PolicyException if e.exceptionSelector == nil { return exceptions, nil } diff --git a/pkg/engine/handlers/handler.go b/pkg/engine/handlers/handler.go index ba6cd4e8d6..53cf069dc8 100644 --- a/pkg/engine/handlers/handler.go +++ b/pkg/engine/handlers/handler.go @@ -5,7 +5,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -18,7 +18,7 @@ type Handler interface { unstructured.Unstructured, kyvernov1.Rule, engineapi.EngineContextLoader, - []kyvernov2.PolicyException, + []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) } diff --git a/pkg/engine/handlers/mutation/mutate_existing.go b/pkg/engine/handlers/mutation/mutate_existing.go index 603f4e70f8..7cce2eb250 100644 --- a/pkg/engine/handlers/mutation/mutate_existing.go +++ b/pkg/engine/handlers/mutation/mutate_existing.go @@ -5,7 +5,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/internal" @@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/mutation/mutate_image.go b/pkg/engine/handlers/mutation/mutate_image.go index a1c8413b44..c9dbe1a9eb 100644 --- a/pkg/engine/handlers/mutation/mutate_image.go +++ b/pkg/engine/handlers/mutation/mutate_image.go @@ -6,7 +6,7 @@ import ( json_patch "github.com/evanphx/json-patch/v5" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" enginecontext "github.com/kyverno/kyverno/pkg/engine/context" @@ -69,7 +69,7 @@ func (h mutateImageHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/mutation/mutate_resource.go b/pkg/engine/handlers/mutation/mutate_resource.go index f009d98800..7b26c583f0 100644 --- a/pkg/engine/handlers/mutation/mutate_resource.go +++ b/pkg/engine/handlers/mutation/mutate_resource.go @@ -5,7 +5,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/mutate" @@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go index e8b22fc0eb..14b8ea4ddd 100644 --- a/pkg/engine/handlers/validation/validate_cel.go +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -6,7 +6,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/internal" @@ -43,7 +43,7 @@ func (h validateCELHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { if engineutils.IsDeleteRequest(policyContext) { logger.V(3).Info("skipping CEL validation on deleted resource") diff --git a/pkg/engine/handlers/validation/validate_image.go b/pkg/engine/handlers/validation/validate_image.go index 28214513fc..ed409b6784 100644 --- a/pkg/engine/handlers/validation/validate_image.go +++ b/pkg/engine/handlers/validation/validate_image.go @@ -6,7 +6,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" @@ -44,7 +44,7 @@ func (h validateImageHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_manifest.go b/pkg/engine/handlers/validation/validate_manifest.go index 8b70b1b214..ad45ebd636 100644 --- a/pkg/engine/handlers/validation/validate_manifest.go +++ b/pkg/engine/handlers/validation/validate_manifest.go @@ -15,7 +15,7 @@ import ( "github.com/ghodss/yaml" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" @@ -57,7 +57,7 @@ func (h validateManifestHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_pss.go b/pkg/engine/handlers/validation/validate_pss.go index d9b7a7557f..9617067681 100644 --- a/pkg/engine/handlers/validation/validate_pss.go +++ b/pkg/engine/handlers/validation/validate_pss.go @@ -7,7 +7,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" engineutils "github.com/kyverno/kyverno/pkg/engine/utils" @@ -33,7 +33,7 @@ func (h validatePssHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index acb9f4a8f6..99dcad7dd4 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -9,7 +9,7 @@ import ( "github.com/go-logr/logr" gojmespath "github.com/kyverno/go-jmespath" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/internal" @@ -38,7 +38,7 @@ func (h validateResourceHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []kyvernov2.PolicyException, + exceptions []kyvernov2beta1.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/utils/exceptions.go b/pkg/engine/utils/exceptions.go index fccf4190e9..a01130c059 100644 --- a/pkg/engine/utils/exceptions.go +++ b/pkg/engine/utils/exceptions.go @@ -2,7 +2,7 @@ package utils import ( "github.com/go-logr/logr" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/utils/conditions" matched "github.com/kyverno/kyverno/pkg/utils/match" @@ -11,10 +11,10 @@ import ( // MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource. // It returns the matched policy exception. func MatchesException( - polexs []kyvernov2.PolicyException, + polexs []kyvernov2beta1.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger, -) *kyvernov2.PolicyException { +) *kyvernov2beta1.PolicyException { gvk, subresource := policyContext.ResourceKind() resource := policyContext.NewResource() if resource.Object == nil { diff --git a/pkg/utils/admission/exception.go b/pkg/utils/admission/exception.go index 68a1344e4e..34775a139d 100644 --- a/pkg/utils/admission/exception.go +++ b/pkg/utils/admission/exception.go @@ -3,20 +3,20 @@ package admission import ( "encoding/json" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" admissionv1 "k8s.io/api/admission/v1" ) -func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) { - var exception *kyvernov2.PolicyException +func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) { + var exception *kyvernov2beta1.PolicyException if err := json.Unmarshal(raw, &exception); err != nil { return nil, err } return exception, nil } -func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) { - var empty *kyvernov2.PolicyException +func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) { + var empty *kyvernov2beta1.PolicyException exception, err := UnmarshalPolicyException(request.Object.Raw) if err != nil { return exception, empty, err diff --git a/pkg/validation/exception/validate.go b/pkg/validation/exception/validate.go index f077774995..17462e584e 100644 --- a/pkg/validation/exception/validate.go +++ b/pkg/validation/exception/validate.go @@ -4,7 +4,7 @@ import ( "context" "github.com/go-logr/logr" - kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" ) const ( @@ -18,7 +18,7 @@ type ValidationOptions struct { } // Validate checks policy exception is valid -func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) { +func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) { var warnings []string if !opts.Enabled { warnings = append(warnings, disabledPolex) diff --git a/pkg/validation/exception/validate_test.go b/pkg/validation/exception/validate_test.go index a55e85a64c..e10e287403 100644 --- a/pkg/validation/exception/validate_test.go +++ b/pkg/validation/exception/validate_test.go @@ -26,7 +26,7 @@ func Test_Validate(t *testing.T) { Enabled: false, Namespace: "kyverno", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 1, }, @@ -37,7 +37,7 @@ func Test_Validate(t *testing.T) { Enabled: true, Namespace: "kyverno", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 1, }, @@ -48,7 +48,7 @@ func Test_Validate(t *testing.T) { Enabled: true, Namespace: "kyverno", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 0, }, @@ -59,7 +59,7 @@ func Test_Validate(t *testing.T) { Enabled: true, Namespace: "", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 0, }, diff --git a/pkg/webhooks/resource/fake.go b/pkg/webhooks/resource/fake.go index aea66b4b50..9438901fe3 100644 --- a/pkg/webhooks/resource/fake.go +++ b/pkg/webhooks/resource/fake.go @@ -39,7 +39,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook dclient := dclient.NewEmptyFakeClient() configuration := config.NewDefaultConfiguration(false) urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace()) - peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister() + peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister() jp := jmespath.New(configuration) rclient := registryclient.NewOrDie() diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml index ae94ec8390..3c5fd95b9b 100644 --- a/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml index f0f3347fc5..a9e5e9afb7 100644 --- a/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: delta-exception diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml index 498f003c50..8e550cc2de 100644 --- a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: polex-right diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml index 4f4e2aa240..94845c6e40 100644 --- a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: polex-wrong diff --git a/test/conformance/chainsaw/exceptions/conditions/exception.yaml b/test/conformance/chainsaw/exceptions/conditions/exception.yaml index 4ab722cd7e..e7a8ede127 100644 --- a/test/conformance/chainsaw/exceptions/conditions/exception.yaml +++ b/test/conformance/chainsaw/exceptions/conditions/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: container-exception diff --git a/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml b/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml index e51e588938..31e9e32f1d 100755 --- a/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml +++ b/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: policy-exception-allow-latest diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml index 0f2efbdc1c..b5beaf8848 100644 --- a/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml index 7c5b688d46..9ded4a7449 100644 --- a/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml +++ b/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml index 9c8b6531f9..8b1026d3a0 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: label-exception diff --git a/test/conformance/chainsaw/reports/admission/exception/exception.yaml b/test/conformance/chainsaw/reports/admission/exception/exception.yaml index ae94ec8390..3c5fd95b9b 100644 --- a/test/conformance/chainsaw/reports/admission/exception/exception.yaml +++ b/test/conformance/chainsaw/reports/admission/exception/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/reports/background/exception/exception.yaml b/test/conformance/chainsaw/reports/background/exception/exception.yaml index fa60bad8a9..54a997c350 100644 --- a/test/conformance/chainsaw/reports/background/exception/exception.yaml +++ b/test/conformance/chainsaw/reports/background/exception/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml index 86b6844742..f936108985 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: allow-scaling-nginx-test diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml index 86b6844742..f936108985 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2 +apiVersion: kyverno.io/v2beta1 kind: PolicyException metadata: name: allow-scaling-nginx-test