mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
fix: set v2beta1 of exceptions the storage version (#9254)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
ca31df9025
commit
b61a1f3d18
40 changed files with 75 additions and 80 deletions
|
@ -26,7 +26,6 @@ import (
|
||||||
// +kubebuilder:object:root=true
|
// +kubebuilder:object:root=true
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:shortName=polex,categories=kyverno
|
// +kubebuilder:resource:shortName=polex,categories=kyverno
|
||||||
// +kubebuilder:storageversion
|
|
||||||
|
|
||||||
// PolicyException declares resources to be excluded from specified policies.
|
// PolicyException declares resources to be excluded from specified policies.
|
||||||
type PolicyException struct {
|
type PolicyException struct {
|
||||||
|
|
|
@ -25,7 +25,7 @@ import (
|
||||||
// +kubebuilder:object:root=true
|
// +kubebuilder:object:root=true
|
||||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||||
// +kubebuilder:resource:shortName=polex,categories=kyverno
|
// +kubebuilder:resource:shortName=polex,categories=kyverno
|
||||||
// +kubebuilder:deprecatedversion
|
// +kubebuilder:storageversion
|
||||||
|
|
||||||
// PolicyException declares resources to be excluded from specified policies.
|
// PolicyException declares resources to be excluded from specified policies.
|
||||||
type PolicyException struct {
|
type PolicyException struct {
|
||||||
|
|
|
@ -42425,7 +42425,7 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: false
|
||||||
- name: v2alpha1
|
- name: v2alpha1
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
|
@ -43017,8 +43017,7 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
served: false
|
served: false
|
||||||
storage: false
|
storage: false
|
||||||
- deprecated: true
|
- name: v2beta1
|
||||||
name: v2beta1
|
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
description: PolicyException declares resources to be excluded from specified
|
description: PolicyException declares resources to be excluded from specified
|
||||||
|
@ -43608,7 +43607,7 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: false
|
storage: true
|
||||||
---
|
---
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
|
|
|
@ -40,7 +40,7 @@ func TestCommandWithAny(t *testing.T) {
|
||||||
out, err := io.ReadAll(b)
|
out, err := io.ReadAll(b)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
expected := `
|
expected := `
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
|
@ -72,7 +72,7 @@ func TestCommandWithAll(t *testing.T) {
|
||||||
out, err := io.ReadAll(b)
|
out, err := io.ReadAll(b)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
expected := `
|
expected := `
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: test
|
name: test
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ .Name }}
|
name: {{ .Name }}
|
||||||
|
|
|
@ -608,7 +608,7 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: false
|
||||||
- name: v2alpha1
|
- name: v2alpha1
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
|
@ -1200,8 +1200,7 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
served: false
|
served: false
|
||||||
storage: false
|
storage: false
|
||||||
- deprecated: true
|
- name: v2beta1
|
||||||
name: v2beta1
|
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
description: PolicyException declares resources to be excluded from specified
|
description: PolicyException declares resources to be excluded from specified
|
||||||
|
@ -1791,4 +1790,4 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: false
|
storage: true
|
||||||
|
|
|
@ -19,12 +19,12 @@ var (
|
||||||
exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
|
exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException")
|
||||||
)
|
)
|
||||||
|
|
||||||
func Load(content []byte) ([]*kyvernov2.PolicyException, error) {
|
func Load(content []byte) ([]*kyvernov2beta1.PolicyException, error) {
|
||||||
documents, err := yamlutils.SplitDocuments(content)
|
documents, err := yamlutils.SplitDocuments(content)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
var exceptions []*kyvernov2.PolicyException
|
var exceptions []*kyvernov2beta1.PolicyException
|
||||||
for _, document := range documents {
|
for _, document := range documents {
|
||||||
gvk, untyped, err := factory.Load(document)
|
gvk, untyped, err := factory.Load(document)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -32,7 +32,7 @@ func Load(content []byte) ([]*kyvernov2.PolicyException, error) {
|
||||||
}
|
}
|
||||||
switch gvk {
|
switch gvk {
|
||||||
case exceptionV2beta1, exceptionV2:
|
case exceptionV2beta1, exceptionV2:
|
||||||
exception, err := convert.To[kyvernov2.PolicyException](untyped)
|
exception, err := convert.To[kyvernov2beta1.PolicyException](untyped)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -65,7 +65,7 @@ func NewExceptionSelector(
|
||||||
var exceptionsLister engineapi.PolicyExceptionSelector
|
var exceptionsLister engineapi.PolicyExceptionSelector
|
||||||
if enablePolicyException {
|
if enablePolicyException {
|
||||||
factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
factory := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
|
||||||
lister := factory.Kyverno().V2().PolicyExceptions().Lister()
|
lister := factory.Kyverno().V2beta1().PolicyExceptions().Lister()
|
||||||
if exceptionNamespace != "" {
|
if exceptionNamespace != "" {
|
||||||
exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
|
exceptionsLister = lister.PolicyExceptions(exceptionNamespace)
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -608,7 +608,7 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: false
|
||||||
- name: v2alpha1
|
- name: v2alpha1
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
|
@ -1200,8 +1200,7 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
served: false
|
served: false
|
||||||
storage: false
|
storage: false
|
||||||
- deprecated: true
|
- name: v2beta1
|
||||||
name: v2beta1
|
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
description: PolicyException declares resources to be excluded from specified
|
description: PolicyException declares resources to be excluded from specified
|
||||||
|
@ -1791,4 +1790,4 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: false
|
storage: true
|
||||||
|
|
|
@ -42648,7 +42648,7 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: true
|
storage: false
|
||||||
- name: v2alpha1
|
- name: v2alpha1
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
|
@ -43240,8 +43240,7 @@ spec:
|
||||||
type: object
|
type: object
|
||||||
served: false
|
served: false
|
||||||
storage: false
|
storage: false
|
||||||
- deprecated: true
|
- name: v2beta1
|
||||||
name: v2beta1
|
|
||||||
schema:
|
schema:
|
||||||
openAPIV3Schema:
|
openAPIV3Schema:
|
||||||
description: PolicyException declares resources to be excluded from specified
|
description: PolicyException declares resources to be excluded from specified
|
||||||
|
@ -43831,7 +43830,7 @@ spec:
|
||||||
- spec
|
- spec
|
||||||
type: object
|
type: object
|
||||||
served: true
|
served: true
|
||||||
storage: false
|
storage: true
|
||||||
---
|
---
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
kind: CustomResourceDefinition
|
kind: CustomResourceDefinition
|
||||||
|
|
|
@ -3,7 +3,7 @@ package api
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
|
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||||
|
@ -43,7 +43,7 @@ type RuleResponse struct {
|
||||||
// podSecurityChecks contains pod security checks (only if this is a pod security rule)
|
// podSecurityChecks contains pod security checks (only if this is a pod security rule)
|
||||||
podSecurityChecks *PodSecurityChecks
|
podSecurityChecks *PodSecurityChecks
|
||||||
// exception is the exception applied (if any)
|
// exception is the exception applied (if any)
|
||||||
exception *kyvernov2.PolicyException
|
exception *kyvernov2beta1.PolicyException
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse {
|
func NewRuleResponse(name string, ruleType RuleType, msg string, status RuleStatus) *RuleResponse {
|
||||||
|
@ -78,7 +78,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse {
|
||||||
return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
|
return NewRuleResponse(name, ruleType, msg, RuleStatusFail)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse {
|
func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse {
|
||||||
r.exception = exception
|
r.exception = exception
|
||||||
return &r
|
return &r
|
||||||
}
|
}
|
||||||
|
@ -109,7 +109,7 @@ func (r *RuleResponse) Stats() ExecutionStats {
|
||||||
return r.stats
|
return r.stats
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *RuleResponse) Exception() *kyvernov2.PolicyException {
|
func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException {
|
||||||
return r.exception
|
return r.exception
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -14,4 +14,4 @@ type NamespacedResourceSelector[T any] interface {
|
||||||
}
|
}
|
||||||
|
|
||||||
// PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
|
// PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions
|
||||||
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2.PolicyException]
|
type PolicyExceptionSelector = NamespacedResourceSelector[*kyvernov2beta1.PolicyException]
|
||||||
|
|
|
@ -4,7 +4,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
"k8s.io/client-go/tools/cache"
|
"k8s.io/client-go/tools/cache"
|
||||||
)
|
)
|
||||||
|
@ -13,8 +13,8 @@ import (
|
||||||
func (e *engine) GetPolicyExceptions(
|
func (e *engine) GetPolicyExceptions(
|
||||||
policy kyvernov1.PolicyInterface,
|
policy kyvernov1.PolicyInterface,
|
||||||
rule string,
|
rule string,
|
||||||
) ([]kyvernov2.PolicyException, error) {
|
) ([]kyvernov2beta1.PolicyException, error) {
|
||||||
var exceptions []kyvernov2.PolicyException
|
var exceptions []kyvernov2beta1.PolicyException
|
||||||
if e.exceptionSelector == nil {
|
if e.exceptionSelector == nil {
|
||||||
return exceptions, nil
|
return exceptions, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,7 +5,7 @@ import (
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||||
)
|
)
|
||||||
|
@ -18,7 +18,7 @@ type Handler interface {
|
||||||
unstructured.Unstructured,
|
unstructured.Unstructured,
|
||||||
kyvernov1.Rule,
|
kyvernov1.Rule,
|
||||||
engineapi.EngineContextLoader,
|
engineapi.EngineContextLoader,
|
||||||
[]kyvernov2.PolicyException,
|
[]kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse)
|
) (unstructured.Unstructured, []engineapi.RuleResponse)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -5,7 +5,7 @@ import (
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||||
|
@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
contextLoader engineapi.EngineContextLoader,
|
contextLoader engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -6,7 +6,7 @@ import (
|
||||||
json_patch "github.com/evanphx/json-patch/v5"
|
json_patch "github.com/evanphx/json-patch/v5"
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||||
|
@ -69,7 +69,7 @@ func (h mutateImageHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
contextLoader engineapi.EngineContextLoader,
|
contextLoader engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -5,7 +5,7 @@ import (
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/mutate"
|
"github.com/kyverno/kyverno/pkg/engine/mutate"
|
||||||
|
@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
contextLoader engineapi.EngineContextLoader,
|
contextLoader engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -6,7 +6,7 @@ import (
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||||
|
@ -43,7 +43,7 @@ func (h validateCELHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
_ engineapi.EngineContextLoader,
|
_ engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
if engineutils.IsDeleteRequest(policyContext) {
|
if engineutils.IsDeleteRequest(policyContext) {
|
||||||
logger.V(3).Info("skipping CEL validation on deleted resource")
|
logger.V(3).Info("skipping CEL validation on deleted resource")
|
||||||
|
|
|
@ -6,7 +6,7 @@ import (
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
|
@ -44,7 +44,7 @@ func (h validateImageHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
_ engineapi.EngineContextLoader,
|
_ engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -15,7 +15,7 @@ import (
|
||||||
"github.com/ghodss/yaml"
|
"github.com/ghodss/yaml"
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
|
@ -57,7 +57,7 @@ func (h validateManifestHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
_ engineapi.EngineContextLoader,
|
_ engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -7,7 +7,7 @@ import (
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||||
|
@ -33,7 +33,7 @@ func (h validatePssHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
_ engineapi.EngineContextLoader,
|
_ engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -9,7 +9,7 @@ import (
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
gojmespath "github.com/kyverno/go-jmespath"
|
gojmespath "github.com/kyverno/go-jmespath"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||||
|
@ -38,7 +38,7 @@ func (h validateResourceHandler) Process(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
contextLoader engineapi.EngineContextLoader,
|
contextLoader engineapi.EngineContextLoader,
|
||||||
exceptions []kyvernov2.PolicyException,
|
exceptions []kyvernov2beta1.PolicyException,
|
||||||
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
) (unstructured.Unstructured, []engineapi.RuleResponse) {
|
||||||
// check if there is a policy exception matches the incoming resource
|
// check if there is a policy exception matches the incoming resource
|
||||||
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
exception := engineutils.MatchesException(exceptions, policyContext, logger)
|
||||||
|
|
|
@ -2,7 +2,7 @@ package utils
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
"github.com/kyverno/kyverno/pkg/utils/conditions"
|
"github.com/kyverno/kyverno/pkg/utils/conditions"
|
||||||
matched "github.com/kyverno/kyverno/pkg/utils/match"
|
matched "github.com/kyverno/kyverno/pkg/utils/match"
|
||||||
|
@ -11,10 +11,10 @@ import (
|
||||||
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
|
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
|
||||||
// It returns the matched policy exception.
|
// It returns the matched policy exception.
|
||||||
func MatchesException(
|
func MatchesException(
|
||||||
polexs []kyvernov2.PolicyException,
|
polexs []kyvernov2beta1.PolicyException,
|
||||||
policyContext engineapi.PolicyContext,
|
policyContext engineapi.PolicyContext,
|
||||||
logger logr.Logger,
|
logger logr.Logger,
|
||||||
) *kyvernov2.PolicyException {
|
) *kyvernov2beta1.PolicyException {
|
||||||
gvk, subresource := policyContext.ResourceKind()
|
gvk, subresource := policyContext.ResourceKind()
|
||||||
resource := policyContext.NewResource()
|
resource := policyContext.NewResource()
|
||||||
if resource.Object == nil {
|
if resource.Object == nil {
|
||||||
|
|
|
@ -3,20 +3,20 @@ package admission
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
admissionv1 "k8s.io/api/admission/v1"
|
admissionv1 "k8s.io/api/admission/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) {
|
func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) {
|
||||||
var exception *kyvernov2.PolicyException
|
var exception *kyvernov2beta1.PolicyException
|
||||||
if err := json.Unmarshal(raw, &exception); err != nil {
|
if err := json.Unmarshal(raw, &exception); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
return exception, nil
|
return exception, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) {
|
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) {
|
||||||
var empty *kyvernov2.PolicyException
|
var empty *kyvernov2beta1.PolicyException
|
||||||
exception, err := UnmarshalPolicyException(request.Object.Raw)
|
exception, err := UnmarshalPolicyException(request.Object.Raw)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return exception, empty, err
|
return exception, empty, err
|
||||||
|
|
|
@ -4,7 +4,7 @@ import (
|
||||||
"context"
|
"context"
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
@ -18,7 +18,7 @@ type ValidationOptions struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate checks policy exception is valid
|
// Validate checks policy exception is valid
|
||||||
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) {
|
func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) {
|
||||||
var warnings []string
|
var warnings []string
|
||||||
if !opts.Enabled {
|
if !opts.Enabled {
|
||||||
warnings = append(warnings, disabledPolex)
|
warnings = append(warnings, disabledPolex)
|
||||||
|
|
|
@ -26,7 +26,7 @@ func Test_Validate(t *testing.T) {
|
||||||
Enabled: false,
|
Enabled: false,
|
||||||
Namespace: "kyverno",
|
Namespace: "kyverno",
|
||||||
},
|
},
|
||||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||||
},
|
},
|
||||||
want: 1,
|
want: 1,
|
||||||
},
|
},
|
||||||
|
@ -37,7 +37,7 @@ func Test_Validate(t *testing.T) {
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
Namespace: "kyverno",
|
Namespace: "kyverno",
|
||||||
},
|
},
|
||||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||||
},
|
},
|
||||||
want: 1,
|
want: 1,
|
||||||
},
|
},
|
||||||
|
@ -48,7 +48,7 @@ func Test_Validate(t *testing.T) {
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
Namespace: "kyverno",
|
Namespace: "kyverno",
|
||||||
},
|
},
|
||||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||||
},
|
},
|
||||||
want: 0,
|
want: 0,
|
||||||
},
|
},
|
||||||
|
@ -59,7 +59,7 @@ func Test_Validate(t *testing.T) {
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
Namespace: "",
|
Namespace: "",
|
||||||
},
|
},
|
||||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||||
},
|
},
|
||||||
want: 0,
|
want: 0,
|
||||||
},
|
},
|
||||||
|
|
|
@ -39,7 +39,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
||||||
dclient := dclient.NewEmptyFakeClient()
|
dclient := dclient.NewEmptyFakeClient()
|
||||||
configuration := config.NewDefaultConfiguration(false)
|
configuration := config.NewDefaultConfiguration(false)
|
||||||
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
|
||||||
peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister()
|
peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister()
|
||||||
jp := jmespath.New(configuration)
|
jp := jmespath.New(configuration)
|
||||||
rclient := registryclient.NewOrDie()
|
rclient := registryclient.NewOrDie()
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: mynewpolex
|
name: mynewpolex
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: delta-exception
|
name: delta-exception
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: polex-right
|
name: polex-right
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: polex-wrong
|
name: polex-wrong
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: container-exception
|
name: container-exception
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: policy-exception-allow-latest
|
name: policy-exception-allow-latest
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: mynewpolex
|
name: mynewpolex
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: mynewpolex
|
name: mynewpolex
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: label-exception
|
name: label-exception
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: mynewpolex
|
name: mynewpolex
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: mynewpolex
|
name: mynewpolex
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: allow-scaling-nginx-test
|
name: allow-scaling-nginx-test
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
apiVersion: kyverno.io/v2
|
apiVersion: kyverno.io/v2beta1
|
||||||
kind: PolicyException
|
kind: PolicyException
|
||||||
metadata:
|
metadata:
|
||||||
name: allow-scaling-nginx-test
|
name: allow-scaling-nginx-test
|
||||||
|
|
Loading…
Add table
Reference in a new issue