mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

feat: remove yaml markers (#11015)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-09-05 13:13:16 +02:00 committed by GitHub
parent 0ee73430de
commit bc0f83b175
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
29 changed files with 407 additions and 407 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
api/kyverno/v1/clusterpolicy_types.go
View file

@ -29,15 +29,15 @@ import (
// ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
type ClusterPolicy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy behaviors.
Spec Spec `json:"spec" yaml:"spec"`
Spec Spec `json:"spec"`
// Status contains policy runtime data.
// +optional
Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
Status PolicyStatus `json:"status,omitempty"`
}
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
@ -132,7 +132,7 @@ func (p *ClusterPolicy) CreateDeepCopy() PolicyInterface {
// ClusterPolicyList is a list of ClusterPolicy instances.
type ClusterPolicyList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []ClusterPolicy `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []ClusterPolicy `json:"items"`
}

210
api/kyverno/v1/common_types.go
View file

@ -63,17 +63,17 @@ type WebhookConfiguration struct {
// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
// Allowed values are Ignore or Fail. Defaults to Fail.
// +optional
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty"`
// TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" yaml:"timeoutSeconds,omitempty"`
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
// MatchCondition configures admission webhook matchConditions.
// Requires Kubernetes 1.27 or later.
// +optional
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
}
// AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
@ -85,14 +85,14 @@ type AnyAllConditions struct {
// using JMESPath notation.
// Here, at least one of the conditions need to pass
// +optional
AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
AnyConditions []Condition `json:"any,omitempty"`
// AllConditions enable variable-based conditional rule execution. This is useful for
// finer control of when an rule is applied. A condition can reference object data
// using JMESPath notation.
// Here, all of the conditions need to pass
// +optional
AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
AllConditions []Condition `json:"all,omitempty"`
}
// ContextEntry adds variables and data sources to a rule Context. Either a
@ -104,24 +104,24 @@ type AnyAllConditions struct {
// +kubebuilder:oneOf:={required:{globalReference}}
type ContextEntry struct {
// Name is the variable name.
Name string `json:"name" yaml:"name"`
Name string `json:"name"`
// ConfigMap is the ConfigMap reference.
ConfigMap *ConfigMapReference `json:"configMap,omitempty" yaml:"configMap,omitempty"`
ConfigMap *ConfigMapReference `json:"configMap,omitempty"`
// APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
// The data returned is stored in the context with the name for the context entry.
APICall *ContextAPICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`
APICall *ContextAPICall `json:"apiCall,omitempty"`
// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
// details.
ImageRegistry *ImageRegistry `json:"imageRegistry,omitempty" yaml:"imageRegistry,omitempty"`
ImageRegistry *ImageRegistry `json:"imageRegistry,omitempty"`
// Variable defines an arbitrary JMESPath context variable that can be defined inline.
Variable *Variable `json:"variable,omitempty" yaml:"variable,omitempty"`
Variable *Variable `json:"variable,omitempty"`
// GlobalContextEntryReference is a reference to a cached global context entry.
GlobalReference *GlobalContextEntryReference `json:"globalReference,omitempty" yaml:"globalReference,omitempty"`
GlobalReference *GlobalContextEntryReference `json:"globalReference,omitempty"`
}
// Variable defines an arbitrary JMESPath context variable that can be defined inline.
@ -130,19 +130,19 @@ type Variable struct {
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
Value *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"`
Value *kyverno.Any `json:"value,omitempty"`
// JMESPath is an optional JMESPath Expression that can be used to
// transform the variable.
// +optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
JMESPath string `json:"jmesPath,omitempty"`
// Default is an optional arbitrary JSON object that the variable may take if the JMESPath
// expression evaluates to nil
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
Default *kyverno.Any `json:"default,omitempty" yaml:"default,omitempty"`
Default *kyverno.Any `json:"default,omitempty"`
}
func (v *Variable) GetValue() any {
@ -166,26 +166,26 @@ func (v *Variable) SetDefault(in any) {
type ImageRegistry struct {
// Reference is image reference to a container image in the registry.
// Example: ghcr.io/kyverno/kyverno:latest
Reference string `json:"reference" yaml:"reference"`
Reference string `json:"reference"`
// JMESPath is an optional JSON Match Expression that can be used to
// transform the ImageData struct returned as a result of processing
// the image reference.
// +optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
JMESPath string `json:"jmesPath,omitempty"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty"`
}
// ConfigMapReference refers to a ConfigMap
type ConfigMapReference struct {
// Name is the ConfigMap name.
Name string `json:"name" yaml:"name"`
Name string `json:"name"`
// Namespace is the ConfigMap namespace.
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
Namespace string `json:"namespace,omitempty"`
}
type APICall struct {
@ -196,26 +196,26 @@ type APICall struct {
// for details.
// It's mutually exclusive with the Service field.
// +kubebuilder:validation:Optional
URLPath string `json:"urlPath" yaml:"urlPath"`
URLPath string `json:"urlPath"`
// Method is the HTTP request type (GET or POST). Defaults to GET.
// +kubebuilder:default=GET
Method Method `json:"method,omitempty" yaml:"method,omitempty"`
Method Method `json:"method,omitempty"`
// The data object specifies the POST data sent to the server.
// Only applicable when the method field is set to POST.
// +kubebuilder:validation:Optional
Data []RequestData `json:"data,omitempty" yaml:"data,omitempty"`
Data []RequestData `json:"data,omitempty"`
// Service is an API call to a JSON web service.
// This is used for non-Kubernetes API server calls.
// It's mutually exclusive with the URLPath field.
// +kubebuilder:validation:Optional
Service *ServiceCall `json:"service,omitempty" yaml:"service,omitempty"`
Service *ServiceCall `json:"service,omitempty"`
}
type ContextAPICall struct {
APICall `json:",inline" yaml:",inline"`
APICall `json:",inline"`
// Default is an optional arbitrary JSON object that the context may take if the apiCall
// returns error
@ -228,13 +228,13 @@ type ContextAPICall struct {
// for the URLPath "/apis/apps/v1/deployments" will return the total count
// of deployments across all namespaces.
// +kubebuilder:validation:Optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
JMESPath string `json:"jmesPath,omitempty"`
}
type GlobalContextEntryReference struct {
// Name of the global context entry
// +kubebuilder:validation:Required
Name string `json:"name" yaml:"name"`
Name string `json:"name"`
// JMESPath is an optional JSON Match Expression that can be used to
// transform the JSON response returned from the server. For example
@ -242,18 +242,18 @@ type GlobalContextEntryReference struct {
// for the URLPath "/apis/apps/v1/deployments" will return the total count
// of deployments across all namespaces.
// +kubebuilder:validation:Optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
JMESPath string `json:"jmesPath,omitempty"`
}
type ServiceCall struct {
// URL is the JSON web service URL. A typical form is
// `https://{service}.{namespace}:{port}/{path}`.
URL string `json:"url" yaml:"url"`
URL string `json:"url"`
// CABundle is a PEM encoded CA bundle which will be used to validate
// the server certificate.
// +kubebuilder:validation:Optional
CABundle string `json:"caBundle" yaml:"caBundle"`
CABundle string `json:"caBundle"`
}
// Method is a HTTP request type.
@ -263,30 +263,30 @@ type Method string
// RequestData contains the HTTP POST data
type RequestData struct {
// Key is a unique identifier for the data value
Key string `json:"key" yaml:"key"`
Key string `json:"key"`
// Value is the data value
Value *apiextv1.JSON `json:"value" yaml:"value"`
Value *apiextv1.JSON `json:"value"`
}
// Condition defines variable-based conditional criteria for rule execution.
type Condition struct {
// Key is the context entry (using JMESPath) for conditional rule evaluation.
RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`
RawKey *apiextv1.JSON `json:"key,omitempty"`
// Operator is the conditional operation to perform. Valid operators are:
// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
// DurationLessThanOrEquals, DurationLessThan
Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
Operator ConditionOperator `json:"operator,omitempty"`
// Value is the conditional value, or set of values. The values can be fixed set
// or can be variables declared using JMESPath.
// +optional
RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
RawValue *apiextv1.JSON `json:"value,omitempty"`
// Message is an optional display message
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
}
func (c *Condition) GetKey() apiextensions.JSON {
@ -357,10 +357,10 @@ type ResourceFilters []ResourceFilter
type ResourceFilter struct {
// UserInfo contains information about the user performing the operation.
// +optional
UserInfo `json:",omitempty" yaml:",omitempty"`
UserInfo `json:",omitempty"`
// ResourceDescription contains information about the resource being created or modified.
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
ResourceDescription `json:"resources,omitempty"`
}
func (r ResourceFilter) IsEmpty() bool {
@ -371,26 +371,26 @@ func (r ResourceFilter) IsEmpty() bool {
type Mutation struct {
// MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.
// +optional
MutateExistingOnPolicyUpdate *bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
MutateExistingOnPolicyUpdate *bool `json:"mutateExistingOnPolicyUpdate,omitempty"`
// Targets defines the target resources to be mutated.
// +optional
Targets []TargetResourceSpec `json:"targets,omitempty" yaml:"targets,omitempty"`
Targets []TargetResourceSpec `json:"targets,omitempty"`
// PatchStrategicMerge is a strategic merge patch used to modify resources.
// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
// +optional
RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`
RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty"`
// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
// +optional
PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`
PatchesJSON6902 string `json:"patchesJson6902,omitempty"`
// ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
// +optional
ForEachMutation []ForEachMutation `json:"foreach,omitempty" yaml:"foreach,omitempty"`
ForEachMutation []ForEachMutation `json:"foreach,omitempty"`
}
func (m *Mutation) GetPatchStrategicMerge() apiextensions.JSON {
@ -405,23 +405,23 @@ func (m *Mutation) SetPatchStrategicMerge(in apiextensions.JSON) {
type ForEachMutation struct {
// List specifies a JMESPath expression that results in one or more elements
// to which the validation logic is applied.
List string `json:"list,omitempty" yaml:"list,omitempty"`
List string `json:"list,omitempty"`
// Order defines the iteration order on the list.
// Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
// +optional
Order *ForeachOrder `json:"order,omitempty" yaml:"order,omitempty"`
Order *ForeachOrder `json:"order,omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []ContextEntry `json:"context,omitempty"`
// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
// See: https://kyverno.io/docs/writing-policies/preconditions/
// +kubebuilder:validation:XPreserveUnknownFields
// +optional
AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty"`
// PatchStrategicMerge is a strategic merge patch used to modify resources.
// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@ -429,18 +429,18 @@ type ForEachMutation struct {
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawPatchStrategicMerge *kyverno.Any `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`
RawPatchStrategicMerge *kyverno.Any `json:"patchStrategicMerge,omitempty"`
// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
// +optional
PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`
PatchesJSON6902 string `json:"patchesJson6902,omitempty"`
// Foreach declares a nested foreach iterator
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
ForEachMutation *ForEachMutationWrapper `json:"foreach,omitempty" yaml:"foreach,omitempty"`
ForEachMutation *ForEachMutationWrapper `json:"foreach,omitempty"`
}
func (m *ForEachMutation) GetForEachMutation() []ForEachMutation {
@ -466,46 +466,46 @@ type Validation struct {
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
FailureAction *ValidationFailureAction `json:"failureAction,omitempty"`
// FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
// namespace-wise. It overrides FailureAction for the specified namespaces.
// +optional
FailureActionOverrides []ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
FailureActionOverrides []ValidationFailureActionOverride `json:"failureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure.
// +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
// Manifest specifies conditions for manifest verification
// +optional
Manifests *Manifests `json:"manifests,omitempty" yaml:"manifests,omitempty"`
Manifests *Manifests `json:"manifests,omitempty"`
// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
// +optional
ForEachValidation []ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`
ForEachValidation []ForEachValidation `json:"foreach,omitempty"`
// Pattern specifies an overlay-style pattern used to check resources.
// +optional
RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`
RawPattern *apiextv1.JSON `json:"pattern,omitempty"`
// AnyPattern specifies list of validation patterns. At least one of the patterns
// must be satisfied for the validation rule to succeed.
// +optional
RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty"`
// Deny defines conditions used to pass or fail a validation rule.
// +optional
Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
Deny *Deny `json:"deny,omitempty"`
// PodSecurity applies exemptions for Kubernetes Pod Security admission
// by specifying exclusions for Pod Security Standards controls.
// +optional
PodSecurity *PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
PodSecurity *PodSecurity `json:"podSecurity,omitempty"`
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
// +optional
CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
CEL *CEL `json:"cel,omitempty"`
// Assert defines a kyverno-json assertion tree.
// +optional
@ -518,16 +518,16 @@ type PodSecurity struct {
// Level defines the Pod Security Standard level to be applied to workloads.
// Allowed values are privileged, baseline, and restricted.
// +kubebuilder:validation:Enum=privileged;baseline;restricted
Level api.Level `json:"level,omitempty" yaml:"level,omitempty"`
Level api.Level `json:"level,omitempty"`
// Version defines the Pod Security Standard versions that Kubernetes supports.
// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
// +kubebuilder:validation:Enum=v1.19;v1.20;v1.21;v1.22;v1.23;v1.24;v1.25;v1.26;v1.27;v1.28;v1.29;latest
// +optional
Version string `json:"version,omitempty" yaml:"version,omitempty"`
Version string `json:"version,omitempty"`
// Exclude specifies the Pod Security Standard controls to be excluded.
Exclude []PodSecurityStandard `json:"exclude,omitempty" yaml:"exclude,omitempty"`
Exclude []PodSecurityStandard `json:"exclude,omitempty"`
}
// PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
@ -535,23 +535,23 @@ type PodSecurityStandard struct {
// ControlName specifies the name of the Pod Security Standard control.
// See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
// +kubebuilder:validation:Enum=HostProcess;Host Namespaces;Privileged Containers;Capabilities;HostPath Volumes;Host Ports;AppArmor;SELinux;/proc Mount Type;Seccomp;Sysctls;Volume Types;Privilege Escalation;Running as Non-root;Running as Non-root user
ControlName string `json:"controlName" yaml:"controlName"`
ControlName string `json:"controlName"`
// Images selects matching containers and applies the container level PSS.
// Each image is the image name consisting of the registry address, repository, image, and tag.
// Empty list matches no containers, PSS checks are applied at the pod level only.
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +optional
Images []string `json:"images,omitempty" yaml:"images,omitempty"`
Images []string `json:"images,omitempty"`
// RestrictedField selects the field for the given Pod Security Standard control.
// When not set, all restricted fields for the control are selected.
// +optional
RestrictedField string `json:"restrictedField,omitempty" yaml:"restrictedField,omitempty"`
RestrictedField string `json:"restrictedField,omitempty"`
// Values defines the allowed values that can be excluded.
// +optional
Values []string `json:"values,omitempty" yaml:"values,omitempty"`
Values []string `json:"values,omitempty"`
}
func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList) {
@ -579,25 +579,25 @@ func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
type CEL struct {
// Expressions is a list of CELExpression types.
Expressions []admissionregistrationv1beta1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`
Expressions []admissionregistrationv1beta1.Validation `json:"expressions,omitempty"`
// ParamKind is a tuple of Group Kind and Version.
// +optional
ParamKind *admissionregistrationv1beta1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`
ParamKind *admissionregistrationv1beta1.ParamKind `json:"paramKind,omitempty"`
// ParamRef references a parameter resource.
// +optional
ParamRef *admissionregistrationv1beta1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`
ParamRef *admissionregistrationv1beta1.ParamRef `json:"paramRef,omitempty"`
// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
// +optional
AuditAnnotations []admissionregistrationv1beta1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
AuditAnnotations []admissionregistrationv1beta1.AuditAnnotation `json:"auditAnnotations,omitempty"`
// Variables contain definitions of variables that can be used in composition of other expressions.
// Each variable is defined as a named CEL expression.
// The variables defined here will be available under `variables` in other expressions of the policy.
// +optional
Variables []admissionregistrationv1beta1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
Variables []admissionregistrationv1beta1.Variable `json:"variables,omitempty"`
}
func (c *CEL) HasParam() bool {
@ -667,7 +667,7 @@ type Deny struct {
// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawAnyAllConditions *ConditionsWrapper `json:"conditions,omitempty" yaml:"conditions,omitempty"`
RawAnyAllConditions *ConditionsWrapper `json:"conditions,omitempty"`
}
func (d *Deny) GetAnyAllConditions() any {
@ -689,43 +689,43 @@ func (d *Deny) SetAnyAllConditions(in any) {
type ForEachValidation struct {
// List specifies a JMESPath expression that results in one or more elements
// to which the validation logic is applied.
List string `json:"list,omitempty" yaml:"list,omitempty"`
List string `json:"list,omitempty"`
// ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
// When set to "false", "request.object" is used as the validation scope within the foreach
// block to allow referencing other elements in the subtree.
// +optional
ElementScope *bool `json:"elementScope,omitempty" yaml:"elementScope,omitempty"`
ElementScope *bool `json:"elementScope,omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []ContextEntry `json:"context,omitempty"`
// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
// See: https://kyverno.io/docs/writing-policies/preconditions/
// +kubebuilder:validation:XPreserveUnknownFields
// +optional
AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty"`
// Pattern specifies an overlay-style pattern used to check resources.
// +optional
RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`
RawPattern *apiextv1.JSON `json:"pattern,omitempty"`
// AnyPattern specifies list of validation patterns. At least one of the patterns
// must be satisfied for the validation rule to succeed.
// +optional
RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty"`
// Deny defines conditions used to pass or fail a validation rule.
// +optional
Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
Deny *Deny `json:"deny,omitempty"`
// Foreach declares a nested foreach iterator
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
ForEachValidation *ForEachValidationWrapper `json:"foreach,omitempty" yaml:"foreach,omitempty"`
ForEachValidation *ForEachValidationWrapper `json:"foreach,omitempty"`
}
func (v *ForEachValidation) GetForEachValidation() []ForEachValidation {
@ -756,82 +756,82 @@ type Generation struct {
// GenerateExisting controls whether to trigger the rule in existing resources
// If is set to "true" the rule will be triggered and applied to existing matched resources.
// +optional
GenerateExisting *bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`
GenerateExisting *bool `json:"generateExisting,omitempty"`
// Synchronize controls if generated resources should be kept in-sync with their source resource.
// If Synchronize is set to "true" changes to generated resources will be overwritten with resource
// data from Data or the resource specified in the Clone declaration.
// Optional. Defaults to "false" if not specified.
// +optional
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
Synchronize bool `json:"synchronize,omitempty"`
// OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
// them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
// See https://kyverno.io/docs/writing-policies/generate/#data-examples.
// Defaults to "false" if not specified.
// +optional
OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty" yaml:"orphanDownstreamOnPolicyDelete,omitempty"`
OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty"`
// +optional
GeneratePattern `json:",omitempty" yaml:",omitempty"`
GeneratePattern `json:",omitempty"`
// ForEach applies generate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
// +optional
ForEachGeneration []ForEachGeneration `json:"foreach,omitempty" yaml:"foreach,omitempty"`
ForEachGeneration []ForEachGeneration `json:"foreach,omitempty"`
}
type GeneratePattern struct {
// ResourceSpec contains information to select the resource.
// +kubebuilder:validation:Optional
ResourceSpec `json:",omitempty" yaml:",omitempty"`
ResourceSpec `json:",omitempty"`
// Data provides the resource declaration used to populate each generated resource.
// At most one of Data or Clone must be specified. If neither are provided, the generated
// resource will be created with default data only.
// +optional
RawData *apiextv1.JSON `json:"data,omitempty" yaml:"data,omitempty"`
RawData *apiextv1.JSON `json:"data,omitempty"`
// Clone specifies the source resource used to populate each generated resource.
// At most one of Data or Clone can be specified. If neither are provided, the generated
// resource will be created with default data only.
// +optional
Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"`
Clone CloneFrom `json:"clone,omitempty"`
// CloneList specifies the list of source resource used to populate each generated resource.
// +optional
CloneList CloneList `json:"cloneList,omitempty" yaml:"cloneList,omitempty"`
CloneList CloneList `json:"cloneList,omitempty"`
}
type ForEachGeneration struct {
// List specifies a JMESPath expression that results in one or more elements
// to which the validation logic is applied.
List string `json:"list,omitempty" yaml:"list,omitempty"`
List string `json:"list,omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []ContextEntry `json:"context,omitempty"`
// AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
// See: https://kyverno.io/docs/writing-policies/preconditions/
// +kubebuilder:validation:XPreserveUnknownFields
// +optional
AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
AnyAllConditions *AnyAllConditions `json:"preconditions,omitempty"`
GeneratePattern `json:",omitempty" yaml:",omitempty"`
GeneratePattern `json:",omitempty"`
}
type CloneList struct {
// Namespace specifies source resource namespace.
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
Namespace string `json:"namespace,omitempty"`
// Kinds is a list of resource kinds.
Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`
Kinds []string `json:"kinds,omitempty"`
// Selector is a label selector. Label keys and values in `matchLabels`.
// wildcard characters are not supported.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
Selector *metav1.LabelSelector `json:"selector,omitempty"`
}
func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
@ -994,32 +994,32 @@ const (
type CloneFrom struct {
// Namespace specifies source resource namespace.
// +optional
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
Namespace string `json:"namespace,omitempty"`
// Name specifies name of the resource.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Name string `json:"name,omitempty"`
}
type Manifests struct {
// Attestors specified the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
Attestors []AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`
Attestors []AttestorSet `json:"attestors,omitempty"`
// AnnotationDomain is custom domain of annotation for message and signature. Default is "cosign.sigstore.dev".
// +optional
AnnotationDomain string `json:"annotationDomain,omitempty" yaml:"annotationDomain,omitempty"`
AnnotationDomain string `json:"annotationDomain,omitempty"`
// Fields which will be ignored while comparing manifests.
// +optional
IgnoreFields IgnoreFieldList `json:"ignoreFields,omitempty" yaml:"ignoreFields,omitempty"`
IgnoreFields IgnoreFieldList `json:"ignoreFields,omitempty"`
// DryRun configuration
// +optional
DryRunOption DryRunOption `json:"dryRun,omitempty" yaml:"dryRun,omitempty"`
DryRunOption DryRunOption `json:"dryRun,omitempty"`
// Repository is an optional alternate OCI repository to use for resource bundle reference.
// The repository can be overridden per Attestor or Attestation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
Repository string `json:"repository,omitempty"`
}
// DryRunOption is a configuration for dryrun.
@ -1027,8 +1027,8 @@ type Manifests struct {
// which provides robust matching against changes by defaults and other admission controllers.
// Dryrun requires additional permissions. See config/dryrun/dryrun_rbac.yaml
type DryRunOption struct {
Enable bool `json:"enable,omitempty" yaml:"enable,omitempty"`
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
Enable bool `json:"enable,omitempty"`
Namespace string `json:"namespace,omitempty"`
}
type IgnoreFieldList []ObjectFieldBinding

122
api/kyverno/v1/image_verification_types.go
View file

@ -44,62 +44,62 @@ type ImageVerification struct {
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
FailureAction *ValidationFailureAction `json:"failureAction,omitempty"`
// Type specifies the method of signature validation. The allowed options
// are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
// +kubebuilder:validation:Optional
Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
Type ImageVerificationType `json:"type,omitempty"`
// Deprecated. Use ImageReferences instead.
// +kubebuilder:validation:Optional
Image string `json:"image,omitempty" yaml:"image,omitempty"`
Image string `json:"image,omitempty"`
// ImageReferences is a list of matching image reference patterns. At least one pattern in the
// list must match the image for the rule to apply. Each image reference consists of a registry
// address (defaults to docker.io), repository, image, and tag (defaults to latest).
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +kubebuilder:validation:Optional
ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`
ImageReferences []string `json:"imageReferences,omitempty"`
// SkipImageReferences is a list of matching image reference patterns that should be skipped.
// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +kubebuilder:validation:Optional
SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`
SkipImageReferences []string `json:"skipImageReferences,omitempty"`
// Deprecated. Use StaticKeyAttestor instead.
Key string `json:"key,omitempty" yaml:"key,omitempty"`
Key string `json:"key,omitempty"`
// Deprecated. Use KeylessAttestor instead.
Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`
Roots string `json:"roots,omitempty"`
// Deprecated. Use KeylessAttestor instead.
Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
Subject string `json:"subject,omitempty"`
// Deprecated. Use KeylessAttestor instead.
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
Issuer string `json:"issuer,omitempty"`
// Deprecated.
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty"`
// Attestors specified the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
Attestors []AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`
Attestors []AttestorSet `json:"attestors,omitempty"`
// Attestations are optional checks for signed in-toto Statements used to verify the image.
// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
// OCI registry and decodes them into a list of Statement declarations.
Attestations []Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`
Attestations []Attestation `json:"attestations,omitempty"`
// Deprecated. Use annotations per Attestor instead.
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
// Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
// If specified Repository will override the default OCI image repository configured for the installation.
// The repository can also be overridden per Attestor or Attestation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
Repository string `json:"repository,omitempty"`
// CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
// Defaults to false.
@ -110,12 +110,12 @@ type ImageVerification struct {
// Defaults to true.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"`
MutateDigest bool `json:"mutateDigest"`
// VerifyDigest validates that images have a digest.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"`
VerifyDigest bool `json:"verifyDigest"`
// Validation checks conditions across multiple image
// verification attestations or context entries
@ -124,16 +124,16 @@ type ImageVerification struct {
// Required validates that images are verified i.e. have matched passed a signature or attestation check.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
Required bool `json:"required" yaml:"required"`
Required bool `json:"required"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry.
// +kubebuilder:validation:Optional
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty"`
// UseCache enables caching of image verify responses for this rule.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
UseCache bool `json:"useCache" yaml:"useCache"`
UseCache bool `json:"useCache"`
}
type AttestorSet struct {
@ -142,12 +142,12 @@ type AttestorSet struct {
// value N, then N must be less than or equal to the size of entries, and at least N entries must match.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Minimum:=1
Count *int `json:"count,omitempty" yaml:"count,omitempty"`
Count *int `json:"count,omitempty"`
// Entries contains the available attestors. An attestor can be a static key,
// attributes for keyless verification, or a nested attestor declaration.
// +kubebuilder:validation:Optional
Entries []Attestor `json:"entries,omitempty" yaml:"entries,omitempty"`
Entries []Attestor `json:"entries,omitempty"`
}
func (as AttestorSet) RequiredCount() int {
@ -160,33 +160,33 @@ func (as AttestorSet) RequiredCount() int {
type Attestor struct {
// Keys specifies one or more public keys.
// +kubebuilder:validation:Optional
Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`
Keys *StaticKeyAttestor `json:"keys,omitempty"`
// Certificates specifies one or more certificates.
// +kubebuilder:validation:Optional
Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`
Certificates *CertificateAttestor `json:"certificates,omitempty"`
// Keyless is a set of attribute used to verify a Sigstore keyless attestor.
// See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
// +kubebuilder:validation:Optional
Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`
Keyless *KeylessAttestor `json:"keyless,omitempty"`
// Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
// +kubebuilder:validation:Optional
Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`
Attestor *apiextv1.JSON `json:"attestor,omitempty"`
// Annotations are used for image verification.
// Every specified key-value pair must exist and match in the verified payload.
// The payload may contain other key-value pairs.
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
// Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
// If specified Repository will override other OCI image repository locations for this Attestor.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
Repository string `json:"repository,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty"`
}
type StaticKeyAttestor struct {
@ -198,126 +198,126 @@ type StaticKeyAttestor struct {
// verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
// When multiple keys are specified each key is processed as a separate staticKey entry
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
PublicKeys string `json:"publicKeys,omitempty"`
// Deprecated. Use attestor.signatureAlgorithm instead.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty"`
// KMS provides the URI to the public key stored in a Key Management System. See:
// https://github.com/sigstore/cosign/blob/main/KMS.md
KMS string `json:"kms,omitempty" yaml:"kms,omitempty"`
KMS string `json:"kms,omitempty"`
// Reference to a Secret resource that contains a public key
Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`
Secret *SecretReference `json:"secret,omitempty"`
// Rekor provides configuration for the Rekor transparency log service. If an empty object
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Rekor *Rekor `json:"rekor,omitempty"`
// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
CTLog *CTLog `json:"ctlog,omitempty"`
}
type SecretReference struct {
// Name of the secret. The provided secret must contain a key named cosign.pub.
Name string `json:"name" yaml:"name"`
Name string `json:"name"`
// Namespace name where the Secret exists.
Namespace string `json:"namespace" yaml:"namespace"`
Namespace string `json:"namespace"`
}
type CertificateAttestor struct {
// Cert is an optional PEM-encoded public certificate.
// +kubebuilder:validation:Optional
Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`
Certificate string `json:"cert,omitempty"`
// CertChain is an optional PEM encoded set of certificates used to verify.
// +kubebuilder:validation:Optional
CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
CertificateChain string `json:"certChain,omitempty"`
// Rekor provides configuration for the Rekor transparency log service. If an empty object
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Rekor *Rekor `json:"rekor,omitempty"`
// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
CTLog *CTLog `json:"ctlog,omitempty"`
}
type KeylessAttestor struct {
// Rekor provides configuration for the Rekor transparency log service. If an empty object
// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
// +kubebuilder:validation:Optional
Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
Rekor *Rekor `json:"rekor,omitempty"`
// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
// +kubebuilder:validation:Optional
CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
CTLog *CTLog `json:"ctlog,omitempty"`
// Issuer is the certificate issuer used for keyless signing.
// +kubebuilder:validation:Optional
Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
Issuer string `json:"issuer,omitempty"`
// IssuerRegExp is the regular expression to match certificate issuer used for keyless signing.
// +kubebuilder:validation:Optional
IssuerRegExp string `json:"issuerRegExp,omitempty" yaml:"issuerRegExp,omitempty"`
IssuerRegExp string `json:"issuerRegExp,omitempty"`
// Subject is the verified identity used for keyless signing, for example the email address.
// +kubebuilder:validation:Optional
Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
Subject string `json:"subject,omitempty"`
// SubjectRegExp is the regular expression to match identity used for keyless signing, for example the email address.
// +kubebuilder:validation:Optional
SubjectRegExp string `json:"subjectRegExp,omitempty" yaml:"subjectRegExp,omitempty"`
SubjectRegExp string `json:"subjectRegExp,omitempty"`
// Roots is an optional set of PEM encoded trusted root certificates.
// If not provided, the system roots are used.
// +kubebuilder:validation:Optional
Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`
Roots string `json:"roots,omitempty"`
// AdditionalExtensions are certificate-extensions used for keyless signing.
// +kubebuilder:validation:Optional
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty"`
}
type Rekor struct {
// URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
// +kubebuilder:validation:Optional
// +kubebuilder:Default:=https://rekor.sigstore.dev
URL string `json:"url" yaml:"url"`
URL string `json:"url"`
// RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
// If set, this will be used to validate transparency log signatures from a custom Rekor.
// +kubebuilder:validation:Optional
RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
RekorPubKey string `json:"pubkey,omitempty"`
// IgnoreTlog skips transparency log verification.
// +kubebuilder:validation:Optional
IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
IgnoreTlog bool `json:"ignoreTlog,omitempty"`
}
type CTLog struct {
// IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
// timestamp. Default is false. Set to true if this was opted out during signing.
// +kubebuilder:validation:Optional
IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
IgnoreSCT bool `json:"ignoreSCT,omitempty"`
// PubKey, if set, is used to validate SCTs against a custom source.
// +kubebuilder:validation:Optional
CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
CTLogPubKey string `json:"pubkey,omitempty"`
// TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
// contain the root CA certificate. Optionally may contain intermediate CA certificates, and
// may contain the leaf TSA certificate if not present in the timestamurce.
// +kubebuilder:validation:Optional
TSACertChain string `json:"tsaCertChain,omitempty" yaml:"tsaCertChain,omitempty"`
TSACertChain string `json:"tsaCertChain,omitempty"`
}
// Attestation are checks for signed in-toto Statements that are used to verify the image.
@ -329,36 +329,36 @@ type Attestation struct {
// Deprecated in favour of 'Type', to be removed soon
// +kubebuilder:validation:Optional
PredicateType string `json:"predicateType" yaml:"predicateType"`
PredicateType string `json:"predicateType"`
// Type defines the type of attestation contained within the Statement.
// +kubebuilder:validation:Optional
Type string `json:"type" yaml:"type"`
Type string `json:"type"`
// Attestors specify the required attestors (i.e. authorities).
// +kubebuilder:validation:Optional
Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
Attestors []AttestorSet `json:"attestors"`
// Conditions are used to verify attributes within a Predicate. If no Conditions are specified
// the attestation check is satisfied as long there are predicates that match the predicate type.
// +kubebuilder:validation:Optional
Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
Conditions []AnyAllConditions `json:"conditions,omitempty"`
}
type ImageRegistryCredentials struct {
// AllowInsecureRegistry allows insecure access to a registry.
// +kubebuilder:validation:Optional
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty"`
// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
// It can be of one of these values: default,google,azure,amazon,github.
// +kubebuilder:validation:Optional
Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty" yaml:"providers,omitempty"`
Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty"`
// Secrets specifies a list of secrets that are provided for credentials.
// Secrets must live in the Kyverno namespace.
// +kubebuilder:validation:Optional
Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
Secrets []string `json:"secrets,omitempty"`
}
// ValidateImageVerification checks conditions across multiple image

8
api/kyverno/v1/match_resources_types.go
View file

@ -11,24 +11,24 @@ import (
type MatchResources struct {
// Any allows specifying resources which will be ORed
// +optional
Any ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`
Any ResourceFilters `json:"any,omitempty"`
// All allows specifying resources which will be ANDed
// +optional
All ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
All ResourceFilters `json:"all,omitempty"`
// UserInfo contains information about the user performing the operation.
// Specifying UserInfo directly under match is being deprecated.
// Please specify under "any" or "all" instead.
// +optional
UserInfo `json:",omitempty" yaml:",omitempty"`
UserInfo `json:",omitempty"`
// ResourceDescription contains information about the resource being created or modified.
// Requires at least one tag to be specified when under MatchResources.
// Specifying ResourceDescription directly under match is being deprecated.
// Please specify under "any" or "all" instead.
// +optional
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
ResourceDescription `json:"resources,omitempty"`
}
// GetKinds returns all kinds

20
api/kyverno/v1/policy_status.go
View file

@ -25,25 +25,25 @@ type PolicyStatus struct {
// +optional
Conditions []metav1.Condition `json:"conditions,omitempty"`
// +optional
Autogen AutogenStatus `json:"autogen" yaml:"autogen"`
Autogen AutogenStatus `json:"autogen"`
// +optional
RuleCount RuleCountStatus `json:"rulecount" yaml:"rulecount"`
RuleCount RuleCountStatus `json:"rulecount"`
// ValidatingAdmissionPolicy contains status information
// +optional
ValidatingAdmissionPolicy ValidatingAdmissionPolicyStatus `json:"validatingadmissionpolicy" yaml:"validatingadmissionpolicy"`
ValidatingAdmissionPolicy ValidatingAdmissionPolicyStatus `json:"validatingadmissionpolicy"`
}
// RuleCountStatus contains four variables which describes counts for
// validate, generate, mutate and verify images rules
type RuleCountStatus struct {
// Count for validate rules in policy
Validate int `json:"validate" yaml:"validate"`
Validate int `json:"validate"`
// Count for generate rules in policy
Generate int `json:"generate" yaml:"generate"`
Generate int `json:"generate"`
// Count for mutate rules in policy
Mutate int `json:"mutate" yaml:"mutate"`
Mutate int `json:"mutate"`
// Count for verify image rules in policy
VerifyImages int `json:"verifyimages" yaml:"verifyimages"`
VerifyImages int `json:"verifyimages"`
}
func (status *PolicyStatus) SetReady(ready bool, message string) {
@ -71,14 +71,14 @@ func (status *PolicyStatus) IsReady() bool {
// AutogenStatus contains autogen status information.
type AutogenStatus struct {
// Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
Rules []Rule `json:"rules,omitempty"`
}
// ValidatingAdmissionPolicy contains status information
type ValidatingAdmissionPolicyStatus struct {
// Generated indicates whether a validating admission policy is generated from the policy or not
Generated bool `json:"generated" yaml:"generated"`
Generated bool `json:"generated"`
// Message is a human readable message indicating details about the generation of validating admission policy
// It is an empty string when validating admission policy is successfully generated.
Message string `json:"message" yaml:"message"`
Message string `json:"message"`
}

14
api/kyverno/v1/policy_types.go
View file

@ -29,15 +29,15 @@ import (
// Policy declares validation, mutation, and generation behaviors for matching resources.
// See: https://kyverno.io/docs/writing-policies/ for more information.
type Policy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec defines policy behaviors and contains one or more rules.
Spec Spec `json:"spec" yaml:"spec"`
Spec Spec `json:"spec"`
// +optional
// Deprecated. Policy metrics are available via the metrics endpoint
Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
Status PolicyStatus `json:"status,omitempty"`
}
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
@ -132,7 +132,7 @@ func (p *Policy) CreateDeepCopy() PolicyInterface {
// PolicyList is a list of Policy instances.
type PolicyList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []Policy `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []Policy `json:"items"`
}

16
api/kyverno/v1/resource_description_types.go
View file

@ -14,36 +14,36 @@ import (
type ResourceDescription struct {
// Kinds is a list of resource kinds.
// +optional
Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`
Kinds []string `json:"kinds,omitempty"`
// Name is the name of the resource. The name supports wildcard characters
// "*" (matches zero or many characters) and "?" (at least one character).
// NOTE: "Name" is being deprecated in favor of "Names".
// +optional
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Name string `json:"name,omitempty"`
// Names are the names of the resources. Each name supports wildcard characters
// "*" (matches zero or many characters) and "?" (at least one character).
// +optional
Names []string `json:"names,omitempty" yaml:"names,omitempty"`
Names []string `json:"names,omitempty"`
// Namespaces is a list of namespaces names. Each name supports wildcard characters
// "*" (matches zero or many characters) and "?" (at least one character).
// +optional
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
Namespaces []string `json:"namespaces,omitempty"`
// Annotations is a map of annotations (key-value pairs of type string). Annotation keys
// and values support the wildcard characters "*" (matches zero or many characters) and
// "?" (matches at least one character).
// +optional
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
// characters `*` (matches zero or many characters) and `?` (matches one character).
// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
// using ["*" : "*"] matches any key and value but does not match an empty label set.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
Selector *metav1.LabelSelector `json:"selector,omitempty"`
// NamespaceSelector is a label selector for the resource namespace. Label keys and values
// in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
@ -51,11 +51,11 @@ type ResourceDescription struct {
// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
// does not match an empty label set.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
// +optional
Operations []AdmissionOperation `json:"operations,omitempty" yaml:"operations,omitempty"`
Operations []AdmissionOperation `json:"operations,omitempty"`
}
func (r ResourceDescription) IsEmpty() bool {

16
api/kyverno/v1/resource_spec_types.go
View file

@ -10,18 +10,18 @@ import (
type ResourceSpec struct {
// APIVersion specifies resource apiVersion.
// +optional
APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
APIVersion string `json:"apiVersion,omitempty"`
// Kind specifies resource kind.
Kind string `json:"kind,omitempty" yaml:"kind,omitempty"`
Kind string `json:"kind,omitempty"`
// Namespace specifies resource namespace.
// +optional
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
Namespace string `json:"namespace,omitempty"`
// Name specifies the resource name.
// +optional
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Name string `json:"name,omitempty"`
// UID specifies the resource uid.
// +optional
UID types.UID `json:"uid,omitempty" yaml:"uid,omitempty"`
UID types.UID `json:"uid,omitempty"`
}
func (s ResourceSpec) GetName() string { return s.Name }
@ -40,11 +40,11 @@ func (s ResourceSpec) String() string {
// TargetResourceSpec defines targets for mutating existing resources.
type TargetResourceSpec struct {
// ResourceSpec contains the target resources to load when mutating existing resources.
ResourceSpec `json:",omitempty" yaml:",omitempty"`
ResourceSpec `json:",omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []ContextEntry `json:"context,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
@ -54,7 +54,7 @@ type TargetResourceSpec struct {
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty"`
}
func (r *TargetResourceSpec) GetAnyAllConditions() any {

36
api/kyverno/v1/rule_types.go
View file

@ -18,25 +18,25 @@ type ImageExtractorConfig struct {
// Path is the path to the object containing the image field in a custom resource.
// It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
// Wildcard keys are expanded in case of arrays or objects.
Path string `json:"path" yaml:"path"`
Path string `json:"path"`
// Value is an optional name of the field within 'path' that points to the image URI.
// This is useful when a custom 'key' is also defined.
// +optional
Value string `json:"value,omitempty" yaml:"value,omitempty"`
Value string `json:"value,omitempty"`
// Name is the entry the image will be available under 'images.<name>' in the context.
// If this field is not defined, image entries will appear under 'images.custom'.
// +optional
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Name string `json:"name,omitempty"`
// Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
// Note - this field MUST be unique.
// +optional
Key string `json:"key,omitempty" yaml:"key,omitempty"`
Key string `json:"key,omitempty"`
// JMESPath is an optional JMESPath expression to apply to the image value.
// This is useful when the extracted image begins with a prefix like 'docker://'.
// The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
// Note - Image digest mutation may not be used when applying a JMESPAth to an image.
// +optional
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
JMESPath string `json:"jmesPath,omitempty"`
}
// Rule defines a validation, mutation, or generation control for matching resources.
@ -45,32 +45,32 @@ type ImageExtractorConfig struct {
type Rule struct {
// Name is a label to identify the rule, It must be unique within the policy.
// +kubebuilder:validation:MaxLength=63
Name string `json:"name" yaml:"name"`
Name string `json:"name"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []ContextEntry `json:"context,omitempty"`
// ReportProperties are the additional properties from the rule that will be added to the policy report result
// +optional
ReportProperties map[string]string `json:"reportProperties,omitempty" yaml:"reportProperties,omitempty"`
ReportProperties map[string]string `json:"reportProperties,omitempty"`
// MatchResources defines when this policy rule should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the user name or role.
// At least one kind is required.
MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`
MatchResources MatchResources `json:"match,omitempty"`
// ExcludeResources defines when this policy rule should not be applied. The exclude
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
ExcludeResources MatchResources `json:"exclude,omitempty"`
// ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
// This config is only valid for verifyImages rules.
// +optional
ImageExtractors ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`
ImageExtractors ImageExtractorConfigs `json:"imageExtractors,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
@ -80,35 +80,35 @@ type Rule struct {
// +optional
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty"`
// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
// set of CEL conditions. It can only be used with the validate.cel subrule
// +optional
CELPreconditions []admissionregistrationv1beta1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
CELPreconditions []admissionregistrationv1beta1.MatchCondition `json:"celPreconditions,omitempty"`
// Mutation is used to modify matching resources.
// +optional
Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
Mutation Mutation `json:"mutate,omitempty"`
// Validation is used to validate matching resources.
// +optional
Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`
Validation Validation `json:"validate,omitempty"`
// Generation is used to create new resources.
// +optional
Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`
Generation Generation `json:"generate,omitempty"`
// VerifyImages is used to verify image signatures and mutate them to add a digest
// +optional
VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
VerifyImages []ImageVerification `json:"verifyImages,omitempty"`
// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
// The default value is set to "true", it must be set to "false" to apply
// generate and mutateExisting rules to those requests.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty"`
}
// HasMutate checks for mutate rule

34
api/kyverno/v1/spec_types.go
View file

@ -42,34 +42,34 @@ func (a ValidationFailureAction) IsValid() bool {
type ValidationFailureActionOverride struct {
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
Action ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
Action ValidationFailureAction `json:"action,omitempty"`
Namespaces []string `json:"namespaces,omitempty"`
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
}
// Spec contains a list of Rule instances and other policy controls.
type Spec struct {
// Rules is a list of Rule instances. A Policy contains multiple rules and
// each rule can validate, mutate, or generate resources.
Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
Rules []Rule `json:"rules,omitempty"`
// ApplyRules controls how rules in a policy are applied. Rule are processed in
// the order of declaration. When set to `One` processing stops after a rule has
// been applied i.e. the rule matches and results in a pass, fail, or error. When
// set to `All` all rules in the policy are processed. The default is `All`.
// +optional
ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
ApplyRules *ApplyRulesType `json:"applyRules,omitempty"`
// Deprecated, use failurePolicy under the webhookConfiguration instead.
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty"`
// Deprecated, use validationFailureAction under the validate rule instead.
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
// +kubebuilder:default=Audit
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty"`
// Deprecated, use validationFailureActionOverrides under the validate rule instead.
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty"`
// EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit.
// Enabling this option will extend admission request processing times. The default value is "false".
@ -81,42 +81,42 @@ type Spec struct {
// Optional. Default value is "true".
// +optional
// +kubebuilder:default=true
Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`
Admission *bool `json:"admission,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
// +optional
// +kubebuilder:default=true
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
Background *bool `json:"background,omitempty"`
// Deprecated.
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
SchemaValidation *bool `json:"schemaValidation,omitempty"`
// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty"`
// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
// +optional
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty"`
// Deprecated, use generateExisting instead
// +optional
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
// Deprecated, use generateExisting under the generate rule instead
// +optional
GenerateExisting bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`
GenerateExisting bool `json:"generateExisting,omitempty"`
// UseServerSideApply controls whether to use server-side apply for generate rules
// If is set to "true" create & update for generate rules will use apply instead of create/update.
// Defaults to "false" if not specified.
// +optional
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
UseServerSideApply bool `json:"useServerSideApply,omitempty"`
// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
// +optional
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`
}
func (s *Spec) CustomWebhookMatchConditions() bool {

6
api/kyverno/v1/user_info_types.go
View file

@ -12,15 +12,15 @@ import (
type UserInfo struct {
// Roles is the list of namespaced role names for the user.
// +optional
Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
Roles []string `json:"roles,omitempty"`
// ClusterRoles is the list of cluster-wide role names for the user.
// +optional
ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
ClusterRoles []string `json:"clusterRoles,omitempty"`
// Subjects is the list of subject names like users, user groups, and service accounts.
// +optional
Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"`
Subjects []rbacv1.Subject `json:"subjects,omitempty"`
}
func (r UserInfo) IsEmpty() bool {

38
api/kyverno/v1beta1/updaterequest_types.go
View file

@ -26,20 +26,20 @@ import (
// UpdateRequestStatus defines the observed state of UpdateRequest
type UpdateRequestStatus struct {
// Deprecated
Handler string `json:"handler,omitempty" yaml:"handler,omitempty"`
Handler string `json:"handler,omitempty"`
// State represents state of the update request.
State UpdateRequestState `json:"state" yaml:"state"`
State UpdateRequestState `json:"state"`
// Specifies request status message.
// +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
// This will track the resources that are updated by the generate Policy.
// Will be used during clean up resources.
GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty"`
RetryCount int `json:"retryCount,omitempty" yaml:"retryCount,omitempty"`
RetryCount int `json:"retryCount,omitempty"`
}
// +genclient
@ -81,34 +81,34 @@ const (
type UpdateRequestSpec struct {
// Type represents request type for background processing
// +kubebuilder:validation:Enum=mutate;generate
Type RequestType `json:"requestType,omitempty" yaml:"requestType,omitempty"`
Type RequestType `json:"requestType,omitempty"`
// Specifies the name of the policy.
Policy string `json:"policy" yaml:"policy"`
Policy string `json:"policy"`
// Rule is the associate rule name of the current UR.
Rule string `json:"rule" yaml:"rule"`
Rule string `json:"rule"`
// DeleteDownstream represents whether the downstream needs to be deleted.
DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
DeleteDownstream bool `json:"deleteDownstream"`
// Synchronize represents the sync behavior of the corresponding rule
// Optional. Defaults to "false" if not specified.
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
Synchronize bool `json:"synchronize,omitempty"`
// ResourceSpec is the information to identify the trigger resource.
Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"`
Resource kyvernov1.ResourceSpec `json:"resource"`
// Context ...
Context UpdateRequestSpecContext `json:"context" yaml:"context"`
Context UpdateRequestSpecContext `json:"context"`
}
// UpdateRequestSpecContext stores the context to be shared.
type UpdateRequestSpecContext struct {
// +optional
UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
UserRequestInfo RequestInfo `json:"userInfo,omitempty"`
// +optional
AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty" yaml:"admissionRequestInfo,omitempty"`
AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty"`
}
// RequestInfo contains permission info carried in an admission request.
@ -116,24 +116,24 @@ type RequestInfo struct {
// Roles is a list of possible role send the request.
// +nullable
// +optional
Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
Roles []string `json:"roles,omitempty"`
// ClusterRoles is a list of possible clusterRoles send the request.
// +nullable
// +optional
ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
ClusterRoles []string `json:"clusterRoles,omitempty"`
// UserInfo is the userInfo carried in the admission request.
// +optional
AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo"`
}
// AdmissionRequestInfoObject stores the admission request and operation details
type AdmissionRequestInfoObject struct {
// +optional
AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty"`
// +optional
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
Operation admissionv1.Operation `json:"operation,omitempty"`
}
// UpdateRequestState defines the state of request.

2
api/kyverno/v2/cleanup_policy_types.go
View file

@ -204,7 +204,7 @@ type ClusterCleanupPolicyList struct {
type CleanupPolicySpec struct {
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []kyvernov1.ContextEntry `json:"context,omitempty"`
// MatchResources defines when cleanuppolicy should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)

12
api/kyverno/v2/condition.go
View file

@ -44,22 +44,22 @@ type Condition struct {
// Key is the context entry (using JMESPath) for conditional rule evaluation.
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawKey *kyverno.Any `json:"key,omitempty" yaml:"key,omitempty"`
RawKey *kyverno.Any `json:"key,omitempty"`
// Operator is the conditional operation to perform. Valid operators are:
// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
// DurationLessThanOrEquals, DurationLessThan
Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
Operator ConditionOperator `json:"operator,omitempty"`
// Value is the conditional value, or set of values. The values can be fixed set
// or can be variables declared using JMESPath.
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawValue *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"`
RawValue *kyverno.Any `json:"value,omitempty"`
// Message is an optional display message
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
}
func (c *Condition) GetKey() any {
@ -84,12 +84,12 @@ type AnyAllConditions struct {
// using JMESPath notation.
// Here, at least one of the conditions need to pass.
// +optional
AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
AnyConditions []Condition `json:"any,omitempty"`
// AllConditions enable variable-based conditional rule execution. This is useful for
// finer control of when an rule is applied. A condition can reference object data
// using JMESPath notation.
// Here, all of the conditions need to pass.
// +optional
AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
AllConditions []Condition `json:"all,omitempty"`
}

24
api/kyverno/v2/policy_exception_types.go
View file

@ -31,11 +31,11 @@ import (
// PolicyException declares resources to be excluded from specified policies.
type PolicyException struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
Spec PolicyExceptionSpec `json:"spec"`
}
// Validate implements programmatic validation
@ -63,10 +63,10 @@ type PolicyExceptionSpec struct {
// Background controls if exceptions are applied to existing policies during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
Background *bool `json:"background,omitempty"`
// Match defines match clause used to check if a resource applies to the exception
Match kyvernov2beta1.MatchResources `json:"match" yaml:"match"`
Match kyvernov2beta1.MatchResources `json:"match"`
// Conditions are used to determine if a resource applies to the exception by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
@ -74,12 +74,12 @@ type PolicyExceptionSpec struct {
Conditions *AnyAllConditions `json:"conditions,omitempty"`
// Exceptions is a list policy/rules to be excluded
Exceptions []Exception `json:"exceptions" yaml:"exceptions"`
Exceptions []Exception `json:"exceptions"`
// PodSecurity specifies the Pod Security Standard controls to be excluded.
// Applicable only to policies that have validate.podSecurity subrule.
// +optional
PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty"`
}
func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool {
@ -124,10 +124,10 @@ type Exception struct {
// PolicyName identifies the policy to which the exception is applied.
// The policy name uses the format <namespace>/<name> unless it
// references a ClusterPolicy.
PolicyName string `json:"policyName" yaml:"policyName"`
PolicyName string `json:"policyName"`
// RuleNames identifies the rules to which the exception is applied.
RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
RuleNames []string `json:"ruleNames"`
}
// Validate implements programmatic validation
@ -155,7 +155,7 @@ func (p *Exception) Contains(policy string, rule string) bool {
// PolicyExceptionList is a list of Policy Exceptions
type PolicyExceptionList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []PolicyException `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []PolicyException `json:"items"`
}

46
api/kyverno/v2/updaterequest_types.go
View file

@ -26,17 +26,17 @@ import (
// UpdateRequestStatus defines the observed state of UpdateRequest
type UpdateRequestStatus struct {
// State represents state of the update request.
State UpdateRequestState `json:"state" yaml:"state"`
State UpdateRequestState `json:"state"`
// Specifies request status message.
// +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
// This will track the resources that are updated by the generate Policy.
// Will be used during clean up resources.
GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty"`
RetryCount int `json:"retryCount,omitempty" yaml:"retryCount,omitempty"`
RetryCount int `json:"retryCount,omitempty"`
}
// +genclient
@ -77,56 +77,56 @@ const (
type UpdateRequestSpec struct {
// Type represents request type for background processing
// +kubebuilder:validation:Enum=mutate;generate
Type RequestType `json:"requestType,omitempty" yaml:"requestType,omitempty"`
Type RequestType `json:"requestType,omitempty"`
// Specifies the name of the policy.
Policy string `json:"policy" yaml:"policy"`
Policy string `json:"policy"`
// RuleContext is the associate context to apply rules.
// optional
RuleContext []RuleContext `json:"ruleContext,omitempty" yaml:"ruleContext,omitempty"`
RuleContext []RuleContext `json:"ruleContext,omitempty"`
// Rule is the associate rule name of the current UR.
Rule string `json:"rule" yaml:"rule"`
Rule string `json:"rule"`
// DeleteDownstream represents whether the downstream needs to be deleted.
// Deprecated
DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
DeleteDownstream bool `json:"deleteDownstream"`
// Synchronize represents the sync behavior of the corresponding rule
// Optional. Defaults to "false" if not specified.
// Deprecated, will be removed in 1.14.
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
Synchronize bool `json:"synchronize,omitempty"`
// ResourceSpec is the information to identify the trigger resource.
Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"`
Resource kyvernov1.ResourceSpec `json:"resource"`
// Context represents admission request context.
// It is used upon admission review only and is shared across rules within the same UR.
Context UpdateRequestSpecContext `json:"context" yaml:"context"`
Context UpdateRequestSpecContext `json:"context"`
}
type RuleContext struct {
// Rule is the associate rule name of the current UR.
Rule string `json:"rule" yaml:"rule"`
Rule string `json:"rule"`
// DeleteDownstream represents whether the downstream needs to be deleted.
DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
DeleteDownstream bool `json:"deleteDownstream"`
// Synchronize represents the sync behavior of the corresponding rule
// Optional. Defaults to "false" if not specified.
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
Synchronize bool `json:"synchronize,omitempty"`
// ResourceSpec is the information to identify the trigger resource.
Trigger kyvernov1.ResourceSpec `json:"trigger" yaml:"resource"`
Trigger kyvernov1.ResourceSpec `json:"trigger"`
}
// UpdateRequestSpecContext stores the context to be shared.
type UpdateRequestSpecContext struct {
// +optional
UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
UserRequestInfo RequestInfo `json:"userInfo,omitempty"`
// +optional
AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty" yaml:"admissionRequestInfo,omitempty"`
AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty"`
}
// RequestInfo contains permission info carried in an admission request.
@ -134,24 +134,24 @@ type RequestInfo struct {
// Roles is a list of possible role send the request.
// +nullable
// +optional
Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
Roles []string `json:"roles,omitempty"`
// ClusterRoles is a list of possible clusterRoles send the request.
// +nullable
// +optional
ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
ClusterRoles []string `json:"clusterRoles,omitempty"`
// UserInfo is the userInfo carried in the admission request.
// +optional
AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo"`
}
// AdmissionRequestInfoObject stores the admission request and operation details
type AdmissionRequestInfoObject struct {
// +optional
AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty"`
// +optional
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
Operation admissionv1.Operation `json:"operation,omitempty"`
}
// UpdateRequestState defines the state of request.

2
api/kyverno/v2alpha1/global_context_entry_types.go
View file

@ -40,7 +40,7 @@ type GlobalContextEntry struct {
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec GlobalContextEntrySpec `json:"spec" yaml:"spec"`
Spec GlobalContextEntrySpec `json:"spec"`
// Status contains globalcontextentry runtime data.
// +optional

2
api/kyverno/v2beta1/cleanup_policy_types.go
View file

@ -204,7 +204,7 @@ type ClusterCleanupPolicyList struct {
type CleanupPolicySpec struct {
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []kyvernov1.ContextEntry `json:"context,omitempty"`
// MatchResources defines when cleanuppolicy should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)

14
api/kyverno/v2beta1/clusterpolicy_types.go
View file

@ -29,15 +29,15 @@ import (
// ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
type ClusterPolicy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy behaviors.
Spec Spec `json:"spec" yaml:"spec"`
Spec Spec `json:"spec"`
// Status contains policy runtime data.
// +optional
Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
Status kyvernov1.PolicyStatus `json:"status,omitempty"`
}
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
@ -123,7 +123,7 @@ func (p *ClusterPolicy) GetKind() string {
// ClusterPolicyList is a list of ClusterPolicy instances.
type ClusterPolicyList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []ClusterPolicy `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []ClusterPolicy `json:"items"`
}

38
api/kyverno/v2beta1/common_types.go
View file

@ -17,48 +17,48 @@ type Validation struct {
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty"`
// FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
// namespace-wise. It overrides FailureAction for the specified namespaces.
// +optional
FailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
FailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"failureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure.
// +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
// Manifest specifies conditions for manifest verification
// +optional
Manifests *kyvernov1.Manifests `json:"manifests,omitempty" yaml:"manifests,omitempty"`
Manifests *kyvernov1.Manifests `json:"manifests,omitempty"`
// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
// +optional
ForEachValidation []kyvernov1.ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`
ForEachValidation []kyvernov1.ForEachValidation `json:"foreach,omitempty"`
// Pattern specifies an overlay-style pattern used to check resources.
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawPattern *kyverno.Any `json:"pattern,omitempty" yaml:"pattern,omitempty"`
RawPattern *kyverno.Any `json:"pattern,omitempty"`
// AnyPattern specifies list of validation patterns. At least one of the patterns
// must be satisfied for the validation rule to succeed.
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"`
// Deny defines conditions used to pass or fail a validation rule.
// +optional
Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
Deny *Deny `json:"deny,omitempty"`
// PodSecurity applies exemptions for Kubernetes Pod Security admission
// by specifying exclusions for Pod Security Standards controls.
// +optional
PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty"`
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
// +optional
CEL *kyvernov1.CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
CEL *kyvernov1.CEL `json:"cel,omitempty"`
// Assert defines a kyverno-json assertion tree.
// +optional
@ -105,29 +105,29 @@ var ConditionOperators = map[string]ConditionOperator{
type Deny struct {
// Multiple conditions can be declared under an `any` or `all` statement.
// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
RawAnyAllConditions *AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
RawAnyAllConditions *AnyAllConditions `json:"conditions,omitempty"`
}
type Condition struct {
// Key is the context entry (using JMESPath) for conditional rule evaluation.
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawKey *kyverno.Any `json:"key,omitempty" yaml:"key,omitempty"`
RawKey *kyverno.Any `json:"key,omitempty"`
// Operator is the conditional operation to perform. Valid operators are:
// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
// DurationLessThanOrEquals, DurationLessThan
Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
Operator ConditionOperator `json:"operator,omitempty"`
// Value is the conditional value, or set of values. The values can be fixed set
// or can be variables declared using JMESPath.
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
RawValue *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"`
RawValue *kyverno.Any `json:"value,omitempty"`
// Message is an optional display message
Message string `json:"message,omitempty" yaml:"message,omitempty"`
Message string `json:"message,omitempty"`
}
func (c *Condition) GetKey() any {
@ -152,14 +152,14 @@ type AnyAllConditions struct {
// using JMESPath notation.
// Here, at least one of the conditions need to pass.
// +optional
AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
AnyConditions []Condition `json:"any,omitempty"`
// AllConditions enable variable-based conditional rule execution. This is useful for
// finer control of when an rule is applied. A condition can reference object data
// using JMESPath notation.
// Here, all of the conditions need to pass.
// +optional
AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
AllConditions []Condition `json:"all,omitempty"`
}
// ResourceFilters is a slice of ResourceFilter
@ -169,8 +169,8 @@ type ResourceFilters []ResourceFilter
type ResourceFilter struct {
// UserInfo contains information about the user performing the operation.
// +optional
kyvernov1.UserInfo `json:",omitempty" yaml:",omitempty"`
kyvernov1.UserInfo `json:",omitempty"`
// ResourceDescription contains information about the resource being created or modified.
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
ResourceDescription `json:"resources,omitempty"`
}

24
api/kyverno/v2beta1/image_verification_types.go
View file

@ -12,51 +12,51 @@ type ImageVerification struct {
// Allowed values are Audit or Enforce.
// +optional
// +kubebuilder:validation:Enum=Audit;Enforce
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty"`
// Type specifies the method of signature validation. The allowed options
// are Cosign and Notary. By default Cosign is used if a type is not specified.
// +kubebuilder:validation:Optional
Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
Type kyvernov1.ImageVerificationType `json:"type,omitempty"`
// ImageReferences is a list of matching image reference patterns. At least one pattern in the
// list must match the image for the rule to apply. Each image reference consists of a registry
// address (defaults to docker.io), repository, image, and tag (defaults to latest).
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +kubebuilder:validation:Optional
ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`
ImageReferences []string `json:"imageReferences,omitempty"`
// SkipImageReferences is a list of matching image reference patterns that should be skipped.
// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
// +kubebuilder:validation:Optional
SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`
SkipImageReferences []string `json:"skipImageReferences,omitempty"`
// Attestors specified the required attestors (i.e. authorities)
// +kubebuilder:validation:Optional
Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`
Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty"`
// Attestations are optional checks for signed in-toto Statements used to verify the image.
// See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
// OCI registry and decodes them into a list of Statement declarations.
Attestations []kyvernov1.Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`
Attestations []kyvernov1.Attestation `json:"attestations,omitempty"`
// Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
// If specified Repository will override the default OCI image repository configured for the installation.
// The repository can also be overridden per Attestor or Attestation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
Repository string `json:"repository,omitempty"`
// MutateDigest enables replacement of image tags with digests.
// Defaults to true.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
MutateDigest bool `json:"mutateDigest" yaml:"mutateDigest"`
MutateDigest bool `json:"mutateDigest"`
// VerifyDigest validates that images have a digest.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
VerifyDigest bool `json:"verifyDigest" yaml:"verifyDigest"`
VerifyDigest bool `json:"verifyDigest"`
// Validation checks conditions across multiple image
// verification attestations or context entries
@ -65,16 +65,16 @@ type ImageVerification struct {
// Required validates that images are verified i.e. have matched passed a signature or attestation check.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
Required bool `json:"required" yaml:"required"`
Required bool `json:"required"`
// ImageRegistryCredentials provides credentials that will be used for authentication with registry
// +kubebuilder:validation:Optional
ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty"`
// UseCache enables caching of image verify responses for this rule
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
UseCache bool `json:"useCache" yaml:"useCache"`
UseCache bool `json:"useCache"`
}
// Validate implements programmatic validation

4
api/kyverno/v2beta1/match_resources_types.go
View file

@ -12,11 +12,11 @@ import (
type MatchResources struct {
// Any allows specifying resources which will be ORed
// +optional
Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`
Any kyvernov1.ResourceFilters `json:"any,omitempty"`
// All allows specifying resources which will be ANDed
// +optional
All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
All kyvernov1.ResourceFilters `json:"all,omitempty"`
}
// GetResourceFilters returns all resource filters

24
api/kyverno/v2beta1/policy_exception_types.go
View file

@ -30,11 +30,11 @@ import (
// PolicyException declares resources to be excluded from specified policies.
type PolicyException struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
Spec PolicyExceptionSpec `json:"spec"`
}
// Validate implements programmatic validation
@ -62,10 +62,10 @@ type PolicyExceptionSpec struct {
// Background controls if exceptions are applied to existing policies during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
Background *bool `json:"background,omitempty"`
// Match defines match clause used to check if a resource applies to the exception
Match MatchResources `json:"match" yaml:"match"`
Match MatchResources `json:"match"`
// Conditions are used to determine if a resource applies to the exception by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
@ -73,12 +73,12 @@ type PolicyExceptionSpec struct {
Conditions *AnyAllConditions `json:"conditions,omitempty"`
// Exceptions is a list policy/rules to be excluded
Exceptions []Exception `json:"exceptions" yaml:"exceptions"`
Exceptions []Exception `json:"exceptions"`
// PodSecurity specifies the Pod Security Standard controls to be excluded.
// Applicable only to policies that have validate.podSecurity subrule.
// +optional
PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty"`
}
func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool {
@ -123,10 +123,10 @@ type Exception struct {
// PolicyName identifies the policy to which the exception is applied.
// The policy name uses the format <namespace>/<name> unless it
// references a ClusterPolicy.
PolicyName string `json:"policyName" yaml:"policyName"`
PolicyName string `json:"policyName"`
// RuleNames identifies the rules to which the exception is applied.
RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
RuleNames []string `json:"ruleNames"`
}
// Validate implements programmatic validation
@ -154,7 +154,7 @@ func (p *Exception) Contains(policy string, rule string) bool {
// PolicyExceptionList is a list of Policy Exceptions
type PolicyExceptionList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []PolicyException `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []PolicyException `json:"items"`
}

14
api/kyverno/v2beta1/policy_types.go
View file

@ -29,15 +29,15 @@ import (
// Policy declares validation, mutation, and generation behaviors for matching resources.
// See: https://kyverno.io/docs/writing-policies/ for more information.
type Policy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec defines policy behaviors and contains one or more rules.
Spec Spec `json:"spec" yaml:"spec"`
Spec Spec `json:"spec"`
// Status contains policy runtime data.
// +optional
Status kyvernov1.PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
Status kyvernov1.PolicyStatus `json:"status,omitempty"`
}
// HasAutoGenAnnotation checks if a policy has auto-gen annotation
@ -123,7 +123,7 @@ func (p *Policy) GetKind() string {
// PolicyList is a list of Policy instances.
type PolicyList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []Policy `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []Policy `json:"items"`
}

14
api/kyverno/v2beta1/resource_description_types.go
View file

@ -14,30 +14,30 @@ import (
type ResourceDescription struct {
// Kinds is a list of resource kinds.
// +optional
Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`
Kinds []string `json:"kinds,omitempty"`
// Names are the names of the resources. Each name supports wildcard characters
// "*" (matches zero or many characters) and "?" (at least one character).
// +optional
Names []string `json:"names,omitempty" yaml:"names,omitempty"`
Names []string `json:"names,omitempty"`
// Namespaces is a list of namespaces names. Each name supports wildcard characters
// "*" (matches zero or many characters) and "?" (at least one character).
// +optional
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
Namespaces []string `json:"namespaces,omitempty"`
// Annotations is a map of annotations (key-value pairs of type string). Annotation keys
// and values support the wildcard characters "*" (matches zero or many characters) and
// "?" (matches at least one character).
// +optional
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
// characters `*` (matches zero or many characters) and `?` (matches one character).
// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
// using ["*" : "*"] matches any key and value but does not match an empty label set.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
Selector *metav1.LabelSelector `json:"selector,omitempty"`
// NamespaceSelector is a label selector for the resource namespace. Label keys and values
// in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
@ -45,11 +45,11 @@ type ResourceDescription struct {
// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
// does not match an empty label set.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
// Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
// +optional
Operations []kyvernov1.AdmissionOperation `json:"operations,omitempty" yaml:"operations,omitempty"`
Operations []kyvernov1.AdmissionOperation `json:"operations,omitempty"`
}
func (r ResourceDescription) GetOperations() []string {

24
api/kyverno/v2beta1/rule_types.go
View file

@ -16,62 +16,62 @@ import (
type Rule struct {
// Name is a label to identify the rule, It must be unique within the policy.
// +kubebuilder:validation:MaxLength=63
Name string `json:"name" yaml:"name"`
Name string `json:"name"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
Context []kyvernov1.ContextEntry `json:"context,omitempty"`
// MatchResources defines when this policy rule should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the user name or role.
// At least one kind is required.
MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`
MatchResources MatchResources `json:"match,omitempty"`
// ExcludeResources defines when this policy rule should not be applied. The exclude
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources MatchResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
ExcludeResources MatchResources `json:"exclude,omitempty"`
// ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
// This config is only valid for verifyImages rules.
// +optional
ImageExtractors kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`
ImageExtractors kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements.
// See: https://kyverno.io/docs/writing-policies/preconditions/
// +optional
RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty"`
// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
// set of CEL conditions. It can only be used with the validate.cel subrule
// +optional
CELPreconditions []admissionregistrationv1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
CELPreconditions []admissionregistrationv1.MatchCondition `json:"celPreconditions,omitempty"`
// Mutation is used to modify matching resources.
// +optional
Mutation kyvernov1.Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
Mutation kyvernov1.Mutation `json:"mutate,omitempty"`
// Validation is used to validate matching resources.
// +optional
Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`
Validation Validation `json:"validate,omitempty"`
// Generation is used to create new resources.
// +optional
Generation kyvernov1.Generation `json:"generate,omitempty" yaml:"generate,omitempty"`
Generation kyvernov1.Generation `json:"generate,omitempty"`
// VerifyImages is used to verify image signatures and mutate them to add a digest
// +optional
VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
VerifyImages []ImageVerification `json:"verifyImages,omitempty"`
// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
// The default value is set to "true", it must be set to "false" to apply
// generate and mutateExisting rules to those requests.
// +kubebuilder:default=true
// +kubebuilder:validation:Optional
SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty"`
}
// HasMutate checks for mutate rule

28
api/kyverno/v2beta1/spec_types.go
View file

@ -14,65 +14,65 @@ import (
type Spec struct {
// Rules is a list of Rule instances. A Policy contains multiple rules and
// each rule can validate, mutate, or generate resources.
Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
Rules []Rule `json:"rules,omitempty"`
// ApplyRules controls how rules in a policy are applied. Rule are processed in
// the order of declaration. When set to `One` processing stops after a rule has
// been applied i.e. the rule matches and results in a pass, fail, or error. When
// set to `All` all rules in the policy are processed. The default is `All`.
// +optional
ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty"`
// Deprecated, use failurePolicy under the webhookConfiguration instead.
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty"`
// Deprecated, use validationFailureAction under the validate rule instead.
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
// +kubebuilder:default=Audit
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
// Deprecated, use validationFailureActionOverrides under the validate rule instead.
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty"`
// Admission controls if rules are applied during admission.
// Optional. Default value is "true".
// +optional
// +kubebuilder:default=true
Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`
Admission *bool `json:"admission,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
// +optional
// +kubebuilder:default=true
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
Background *bool `json:"background,omitempty"`
// Deprecated.
SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
SchemaValidation *bool `json:"schemaValidation,omitempty"`
// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty"`
// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
// +optional
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty"`
// Deprecated, use generateExisting instead
// +optional
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"`
// Deprecated, use generateExisting under the generate rule instead
GenerateExisting bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`
GenerateExisting bool `json:"generateExisting,omitempty"`
// UseServerSideApply controls whether to use server-side apply for generate rules
// If is set to "true" create & update for generate rules will use apply instead of create/update.
// Defaults to "false" if not specified.
// +optional
UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
UseServerSideApply bool `json:"useServerSideApply,omitempty"`
// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
// +optional
WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty"`
}
func (s *Spec) CustomWebhookMatchConditions() bool {

2
pkg/autogen/rule.go
View file

@ -28,7 +28,7 @@ type kyvernoRule struct {
AnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
Mutation *kyvernov1.Mutation `json:"mutate,omitempty"`
Validation *kyvernov1.Validation `json:"validate,omitempty"`
VerifyImages []kyvernov1.ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
VerifyImages []kyvernov1.ImageVerification `json:"verifyImages,omitempty"`
}
func createRule(rule *kyvernov1.Rule) *kyvernoRule {

6
pkg/engine/mutate/mutation_test.go
View file

@ -30,9 +30,9 @@ func loadYaml(t *testing.T, file string) []byte {
// jsonPatch is used to build test patches
type jsonPatch struct {
Path string `json:"path,omitempty" yaml:"path,omitempty"`
Operation string `json:"op,omitempty" yaml:"op,omitempty"`
Value apiextensions.JSON `json:"value,omitempty" yaml:"value,omitempty"`
Path string `json:"path,omitempty"`
Operation string `json:"op,omitempty"`
Value apiextensions.JSON `json:"value,omitempty"`
}
func applyPatches(rule *types.Rule, resource unstructured.Unstructured) (*engineapi.RuleResponse, unstructured.Unstructured) {