mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-16 20:48:42 +00:00
Code Activity

fix: set v2beta1 of exceptions the storage version (#9254)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-12-22 12:13:58 +02:00 committed by GitHub
parent ca31df9025
commit b61a1f3d18
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
40 changed files with 75 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
api/kyverno/v2/policy_exception_types.go
View file

@ -26,7 +26,6 @@ import (
// +kubebuilder:object:root=true // +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:shortName=polex,categories=kyverno // +kubebuilder:resource:shortName=polex,categories=kyverno
// +kubebuilder:storageversion
// PolicyException declares resources to be excluded from specified policies. // PolicyException declares resources to be excluded from specified policies.
type PolicyException struct { type PolicyException struct {

2
api/kyverno/v2beta1/policy_exception_types.go
View file

@ -25,7 +25,7 @@ import (
// +kubebuilder:object:root=true // +kubebuilder:object:root=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:resource:shortName=polex,categories=kyverno // +kubebuilder:resource:shortName=polex,categories=kyverno
// +kubebuilder:deprecatedversion // +kubebuilder:storageversion
// PolicyException declares resources to be excluded from specified policies. // PolicyException declares resources to be excluded from specified policies.
type PolicyException struct { type PolicyException struct {

7
charts/kyverno/charts/crds/templates/crds.yaml
View file

@ -42425,7 +42425,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: true storage: false
- name: v2alpha1 - name: v2alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
@ -43017,8 +43017,7 @@ spec:
type: object type: object
served: false served: false
storage: false storage: false
- deprecated: true - name: v2beta1
name: v2beta1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified description: PolicyException declares resources to be excluded from specified
@ -43608,7 +43607,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: false storage: true
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition

4
cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go
View file

@ -40,7 +40,7 @@ func TestCommandWithAny(t *testing.T) {
out, err := io.ReadAll(b) out, err := io.ReadAll(b)
assert.NoError(t, err) assert.NoError(t, err)
expected := ` expected := `
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: test name: test
@ -72,7 +72,7 @@ func TestCommandWithAll(t *testing.T) {
out, err := io.ReadAll(b) out, err := io.ReadAll(b)
assert.NoError(t, err) assert.NoError(t, err)
expected := ` expected := `
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: test name: test

2
cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: {{ .Name }} name: {{ .Name }}

7
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml
View file

@ -608,7 +608,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: true storage: false
- name: v2alpha1 - name: v2alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
@ -1200,8 +1200,7 @@ spec:
type: object type: object
served: false served: false
storage: false storage: false
- deprecated: true - name: v2beta1
name: v2beta1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified description: PolicyException declares resources to be excluded from specified
@ -1791,4 +1790,4 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: false storage: true

6
cmd/cli/kubectl-kyverno/exception/load.go
View file

@ -19,12 +19,12 @@ var (
exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException") exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
) )
func Load(content []byte) ([]*kyvernov2.PolicyException, error) { func Load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
documents, err := yamlutils.SplitDocuments(content) documents, err := yamlutils.SplitDocuments(content)
if err != nil { if err != nil {
return nil, err return nil, err
} }
var exceptions []*kyvernov2.PolicyException var exceptions []*kyvernov2beta1.PolicyException
for _, document := range documents { for _, document := range documents {
gvk, untyped, err := factory.Load(document) gvk, untyped, err := factory.Load(document)
if err != nil { if err != nil {
@ -32,7 +32,7 @@ func Load(content []byte) ([]*kyvernov2.PolicyException, error) {
} }
switch gvk { switch gvk {
case exceptionV2beta1, exceptionV2: case exceptionV2beta1, exceptionV2:
exception, err := convert.To[kyvernov2.PolicyException](untyped) exception, err := convert.To[kyvernov2beta1.PolicyException](untyped)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
cmd/internal/engine.go
View file

@ -65,7 +65,7 @@ func NewExceptionSelector(
var exceptionsLister engineapi.PolicyExceptionSelector var exceptionsLister engineapi.PolicyExceptionSelector
if enablePolicyException { if enablePolicyException {
factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod) factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
lister := factory.Kyverno().V2().PolicyExceptions().Lister() lister := factory.Kyverno().V2beta1().PolicyExceptions().Lister()
if exceptionNamespace != "" { if exceptionNamespace != "" {
exceptionsLister = lister.PolicyExceptions(exceptionNamespace) exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
} else { } else {

7
config/crds/kyverno.io_policyexceptions.yaml
View file

@ -608,7 +608,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: true storage: false
- name: v2alpha1 - name: v2alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
@ -1200,8 +1200,7 @@ spec:
type: object type: object
served: false served: false
storage: false storage: false
- deprecated: true - name: v2beta1
name: v2beta1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified description: PolicyException declares resources to be excluded from specified
@ -1791,4 +1790,4 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: false storage: true

7
config/install-latest-testing.yaml
View file

@ -42648,7 +42648,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: true storage: false
- name: v2alpha1 - name: v2alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
@ -43240,8 +43240,7 @@ spec:
type: object type: object
served: false served: false
storage: false storage: false
- deprecated: true - name: v2beta1
name: v2beta1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: PolicyException declares resources to be excluded from specified description: PolicyException declares resources to be excluded from specified
@ -43831,7 +43830,7 @@ spec:
- spec - spec
type: object type: object
served: true served: true
storage: false storage: true
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition

8
pkg/engine/api/ruleresponse.go
View file

@ -3,7 +3,7 @@ package api
import ( import (
"fmt" "fmt"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
pssutils "github.com/kyverno/kyverno/pkg/pss/utils" pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -43,7 +43,7 @@ type RuleResponse struct {
// podSecurityChecks contains pod security checks (only if this is a pod security rule) // podSecurityChecks contains pod security checks (only if this is a pod security rule)
podSecurityChecks *PodSecurityChecks podSecurityChecks *PodSecurityChecks
// exception is the exception applied (if any) // exception is the exception applied (if any)
exception *kyvernov2.PolicyException exception *kyvernov2beta1.PolicyException
} }
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse { func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse {
@ -78,7 +78,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse {
return NewRuleResponse(name, ruleType, msg, RuleStatusFail) return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
} }
func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse { func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse {
r.exception = exception r.exception = exception
return &r return &r
} }
@ -109,7 +109,7 @@ func (r *RuleResponse) Stats() ExecutionStats {
return r.stats return r.stats
} }
func (r *RuleResponse) Exception() *kyvernov2.PolicyException { func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException {
return r.exception return r.exception
} }

4
pkg/engine/api/selector.go
View file

@ -1,7 +1,7 @@
package api package api
import ( import (
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
) )
@ -14,4 +14,4 @@ type NamespacedResourceSelector[T any] interface {
} }
// PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions // PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2.PolicyException] type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException]

6
pkg/engine/exceptions.go
View file

@ -4,7 +4,7 @@ import (
"fmt" "fmt"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/cache"
) )
@ -13,8 +13,8 @@ import (
func (e *engine) GetPolicyExceptions( func (e *engine) GetPolicyExceptions(
policy kyvernov1.PolicyInterface, policy kyvernov1.PolicyInterface,
rule string, rule string,
) ([]kyvernov2.PolicyException, error) { ) ([]kyvernov2beta1.PolicyException, error) {
var exceptions []kyvernov2.PolicyException var exceptions []kyvernov2beta1.PolicyException
if e.exceptionSelector == nil { if e.exceptionSelector == nil {
return exceptions, nil return exceptions, nil
} }

4
pkg/engine/handlers/handler.go
View file

@ -5,7 +5,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
) )
@ -18,7 +18,7 @@ type Handler interface {
unstructured.Unstructured, unstructured.Unstructured,
kyvernov1.Rule, kyvernov1.Rule,
engineapi.EngineContextLoader, engineapi.EngineContextLoader,
[]kyvernov2.PolicyException, []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) ) (unstructured.Unstructured, []engineapi.RuleResponse)
} }

4
pkg/engine/handlers/mutation/mutate_existing.go
View file

@ -5,7 +5,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/internal" "github.com/kyverno/kyverno/pkg/engine/internal"
@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader, contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

4
pkg/engine/handlers/mutation/mutate_image.go
View file

@ -6,7 +6,7 @@ import (
json_patch "github.com/evanphx/json-patch/v5" json_patch "github.com/evanphx/json-patch/v5"
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context" enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
@ -69,7 +69,7 @@ func (h mutateImageHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader, contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

4
pkg/engine/handlers/mutation/mutate_resource.go
View file

@ -5,7 +5,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/mutate" "github.com/kyverno/kyverno/pkg/engine/mutate"
@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader, contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

4
pkg/engine/handlers/validation/validate_cel.go
View file

@ -6,7 +6,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/internal" "github.com/kyverno/kyverno/pkg/engine/internal"
@ -43,7 +43,7 @@ func (h validateCELHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
_ engineapi.EngineContextLoader, _ engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
if engineutils.IsDeleteRequest(policyContext) { if engineutils.IsDeleteRequest(policyContext) {
logger.V(3).Info("skipping CEL validation on deleted resource") logger.V(3).Info("skipping CEL validation on deleted resource")

4
pkg/engine/handlers/validation/validate_image.go
View file

@ -6,7 +6,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
@ -44,7 +44,7 @@ func (h validateImageHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
_ engineapi.EngineContextLoader, _ engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

4
pkg/engine/handlers/validation/validate_manifest.go
View file

@ -15,7 +15,7 @@ import (
"github.com/ghodss/yaml" "github.com/ghodss/yaml"
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
@ -57,7 +57,7 @@ func (h validateManifestHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
_ engineapi.EngineContextLoader, _ engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

4
pkg/engine/handlers/validation/validate_pss.go
View file

@ -7,7 +7,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
engineutils "github.com/kyverno/kyverno/pkg/engine/utils" engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
@ -33,7 +33,7 @@ func (h validatePssHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
_ engineapi.EngineContextLoader, _ engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

4
pkg/engine/handlers/validation/validate_resource.go
View file

@ -9,7 +9,7 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
gojmespath "github.com/kyverno/go-jmespath" gojmespath "github.com/kyverno/go-jmespath"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/internal" "github.com/kyverno/kyverno/pkg/engine/internal"
@ -38,7 +38,7 @@ func (h validateResourceHandler) Process(
resource unstructured.Unstructured, resource unstructured.Unstructured,
rule kyvernov1.Rule, rule kyvernov1.Rule,
contextLoader engineapi.EngineContextLoader, contextLoader engineapi.EngineContextLoader,
exceptions []kyvernov2.PolicyException, exceptions []kyvernov2beta1.PolicyException,
) (unstructured.Unstructured, []engineapi.RuleResponse) { ) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if there is a policy exception matches the incoming resource // check if there is a policy exception matches the incoming resource
exception := engineutils.MatchesException(exceptions, policyContext, logger) exception := engineutils.MatchesException(exceptions, policyContext, logger)

6
pkg/engine/utils/exceptions.go
View file

@ -2,7 +2,7 @@ package utils
import ( import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/utils/conditions" "github.com/kyverno/kyverno/pkg/utils/conditions"
matched "github.com/kyverno/kyverno/pkg/utils/match" matched "github.com/kyverno/kyverno/pkg/utils/match"
@ -11,10 +11,10 @@ import (
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource. // MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
// It returns the matched policy exception. // It returns the matched policy exception.
func MatchesException( func MatchesException(
polexs []kyvernov2.PolicyException, polexs []kyvernov2beta1.PolicyException,
policyContext engineapi.PolicyContext, policyContext engineapi.PolicyContext,
logger logr.Logger, logger logr.Logger,
) *kyvernov2.PolicyException { ) *kyvernov2beta1.PolicyException {
gvk, subresource := policyContext.ResourceKind() gvk, subresource := policyContext.ResourceKind()
resource := policyContext.NewResource() resource := policyContext.NewResource()
if resource.Object == nil { if resource.Object == nil {

10
pkg/utils/admission/exception.go
View file

@ -3,20 +3,20 @@ package admission
import ( import (
"encoding/json" "encoding/json"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
admissionv1 "k8s.io/api/admission/v1" admissionv1 "k8s.io/api/admission/v1"
) )
func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) { func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) {
var exception *kyvernov2.PolicyException var exception *kyvernov2beta1.PolicyException
if err := json.Unmarshal(raw, &exception); err != nil { if err := json.Unmarshal(raw, &exception); err != nil {
return nil, err return nil, err
} }
return exception, nil return exception, nil
} }
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) { func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) {
var empty *kyvernov2.PolicyException var empty *kyvernov2beta1.PolicyException
exception, err := UnmarshalPolicyException(request.Object.Raw) exception, err := UnmarshalPolicyException(request.Object.Raw)
if err != nil { if err != nil {
return exception, empty, err return exception, empty, err

4
pkg/validation/exception/validate.go
View file

@ -4,7 +4,7 @@ import (
"context" "context"
"github.com/go-logr/logr" "github.com/go-logr/logr"
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
) )
const ( const (
@ -18,7 +18,7 @@ type ValidationOptions struct {
} }
// Validate checks policy exception is valid // Validate checks policy exception is valid
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) { func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) {
var warnings []string var warnings []string
if !opts.Enabled { if !opts.Enabled {
warnings = append(warnings, disabledPolex) warnings = append(warnings, disabledPolex)

8
pkg/validation/exception/validate_test.go
View file

@ -26,7 +26,7 @@ func Test_Validate(t *testing.T) {
Enabled: false, Enabled: false,
Namespace: "kyverno", Namespace: "kyverno",
}, },
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
}, },
want: 1, want: 1,
}, },
@ -37,7 +37,7 @@ func Test_Validate(t *testing.T) {
Enabled: true, Enabled: true,
Namespace: "kyverno", Namespace: "kyverno",
}, },
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
}, },
want: 1, want: 1,
}, },
@ -48,7 +48,7 @@ func Test_Validate(t *testing.T) {
Enabled: true, Enabled: true,
Namespace: "kyverno", Namespace: "kyverno",
}, },
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
}, },
want: 0, want: 0,
}, },
@ -59,7 +59,7 @@ func Test_Validate(t *testing.T) {
Enabled: true, Enabled: true,
Namespace: "", Namespace: "",
}, },
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
}, },
want: 0, want: 0,
}, },

2
pkg/webhooks/resource/fake.go
View file

@ -39,7 +39,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
dclient := dclient.NewEmptyFakeClient() dclient := dclient.NewEmptyFakeClient()
configuration := config.NewDefaultConfiguration(false) configuration := config.NewDefaultConfiguration(false)
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace()) urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister() peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister()
jp := jmespath.New(configuration) jp := jmespath.New(configuration)
rclient := registryclient.NewOrDie() rclient := registryclient.NewOrDie()

2
test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: mynewpolex name: mynewpolex

2
test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: delta-exception name: delta-exception

2
test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: polex-right name: polex-right

2
test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: polex-wrong name: polex-wrong

2
test/conformance/chainsaw/exceptions/conditions/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: container-exception name: container-exception

2
test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: policy-exception-allow-latest name: policy-exception-allow-latest

2
test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: mynewpolex name: mynewpolex

2
test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: mynewpolex name: mynewpolex

2
test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: label-exception name: label-exception

2
test/conformance/chainsaw/reports/admission/exception/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: mynewpolex name: mynewpolex

2
test/conformance/chainsaw/reports/background/exception/exception.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: mynewpolex name: mynewpolex

2
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: allow-scaling-nginx-test name: allow-scaling-nginx-test

2
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml
View file

@ -1,4 +1,4 @@
apiVersion: kyverno.io/v2 apiVersion: kyverno.io/v2beta1
kind: PolicyException kind: PolicyException
metadata: metadata:
name: allow-scaling-nginx-test name: allow-scaling-nginx-test