mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

chore: remove v1alpha1 of VAPs and use v1beta1 (#10955)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-08-29 18:31:25 +03:00 committed by GitHub
parent e00596a551
commit bde90340a6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
140 changed files with 1201 additions and 1055 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

142
.github/workflows/conformance.yaml vendored
View file

@ -170,75 +170,6 @@ jobs:
if: failure()
uses: ./.github/actions/kyverno-logs
validatingadmissionpolicies-v1alpha1:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: validating-admission-policies
values:
- standard
- generate-validating-admission-policy
k8s-version:
- name: v1.27
version: v1.27.13
tests:
- generate-validating-admission-policy
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# install tools
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install chainsaw
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
# create cluster
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version.version }}
cluster_name: kind
config: ./scripts/config/kind/vap-v1alpha1.yaml
# deploy kyverno
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
shell: bash
run: |
set -e
kind load image-archive kyverno.tar --name kind
- name: Install kyverno
shell: bash
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
# run tests
- name: Test with Chainsaw
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
# debug
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
k8s-version-specific-tests-above-1-28:
runs-on: ubuntu-latest
permissions:
@ -313,75 +244,6 @@ jobs:
if: failure()
uses: ./.github/actions/kyverno-logs
validatingadmissionpolicies-reports-v1alpha1:
runs-on: ubuntu-latest
permissions:
packages: read
strategy:
fail-fast: false
matrix:
config:
- name: validating-admission-policy-reports
values:
- standard
- validating-admission-policy-reports
k8s-version:
- name: v1.27
version: v1.27.13
tests:
- validating-admission-policy-reports
needs: prepare-images
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# install tools
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install chainsaw
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
# create cluster
- name: Create kind cluster
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
with:
node_image: kindest/node:${{ matrix.k8s-version.version }}
cluster_name: kind
config: ./scripts/config/kind/vap-v1alpha1.yaml
# deploy kyverno
- name: Download kyverno images archive
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: kyverno.tar
- name: Load kyverno images archive in kind cluster
shell: bash
run: |
set -e
kind load image-archive kyverno.tar --name kind
- name: Install kyverno
shell: bash
run: |
set -e
export HELM=${{ steps.helm.outputs.helm-path }}
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
make kind-install-kyverno
- name: Wait for kyverno ready
uses: ./.github/actions/kyverno-wait-ready
# run tests
- name: Test with Chainsaw
shell: bash
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -e
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
# debug
- name: Debug failure
if: failure()
uses: ./.github/actions/kyverno-logs
validatingadmissionpolicies-reports-v1beta1:
runs-on: ubuntu-latest
permissions:
@ -1004,9 +866,7 @@ jobs:
- standard
- ttl
- force-failure-policy-ignore
- validatingadmissionpolicies-v1alpha1
- k8s-version-specific-tests-above-1-28
- validatingadmissionpolicies-reports-v1alpha1
- validatingadmissionpolicies-reports-v1beta1
- custom-sigstore
- default
@ -1023,9 +883,7 @@ jobs:
- standard
- ttl
- force-failure-policy-ignore
- validatingadmissionpolicies-v1alpha1
- k8s-version-specific-tests-above-1-28
- validatingadmissionpolicies-reports-v1alpha1
- validatingadmissionpolicies-reports-v1beta1
- custom-sigstore
- default

16
api/kyverno/v1/common_types.go
View file

@ -11,7 +11,7 @@ import (
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
admissionv1 "k8s.io/api/admission/v1"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -569,36 +569,36 @@ func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
type CEL struct {
// Expressions is a list of CELExpression types.
Expressions []v1alpha1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`
Expressions []admissionregistrationv1beta1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`
// ParamKind is a tuple of Group Kind and Version.
// +optional
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`
ParamKind *admissionregistrationv1beta1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`
// ParamRef references a parameter resource.
// +optional
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`
ParamRef *admissionregistrationv1beta1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`
// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
// +optional
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
AuditAnnotations []admissionregistrationv1beta1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
// Variables contain definitions of variables that can be used in composition of other expressions.
// Each variable is defined as a named CEL expression.
// The variables defined here will be available under `variables` in other expressions of the policy.
// +optional
Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
Variables []admissionregistrationv1beta1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
}
func (c *CEL) HasParam() bool {
return c.ParamKind != nil && c.ParamRef != nil
}
func (c *CEL) GetParamKind() v1alpha1.ParamKind {
func (c *CEL) GetParamKind() admissionregistrationv1beta1.ParamKind {
return *c.ParamKind
}
func (c *CEL) GetParamRef() v1alpha1.ParamRef {
func (c *CEL) GetParamRef() admissionregistrationv1beta1.ParamRef {
return *c.ParamRef
}

4
api/kyverno/v1/rule_types.go
View file

@ -7,7 +7,7 @@ import (
"github.com/kyverno/kyverno/ext/wildcard"
"github.com/kyverno/kyverno/pkg/pss/utils"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
)
@ -81,7 +81,7 @@ type Rule struct {
// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
// set of CEL conditions. It can only be used with the validate.cel subrule
// +optional
CELPreconditions []admissionregistrationv1alpha1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
CELPreconditions []admissionregistrationv1beta1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
// Mutation is used to modify matching resources.
// +optional

14
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -24,7 +24,7 @@ package v1
import (
k8smanifest "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
v1beta1 "k8s.io/api/admissionregistration/v1beta1"
rbacv1 "k8s.io/api/rbac/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -218,29 +218,29 @@ func (in *CEL) DeepCopyInto(out *CEL) {
*out = *in
if in.Expressions != nil {
in, out := &in.Expressions, &out.Expressions
*out = make([]v1alpha1.Validation, len(*in))
*out = make([]v1beta1.Validation, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.ParamKind != nil {
in, out := &in.ParamKind, &out.ParamKind
*out = new(v1alpha1.ParamKind)
*out = new(v1beta1.ParamKind)
**out = **in
}
if in.ParamRef != nil {
in, out := &in.ParamRef, &out.ParamRef
*out = new(v1alpha1.ParamRef)
*out = new(v1beta1.ParamRef)
(*in).DeepCopyInto(*out)
}
if in.AuditAnnotations != nil {
in, out := &in.AuditAnnotations, &out.AuditAnnotations
*out = make([]v1alpha1.AuditAnnotation, len(*in))
*out = make([]v1beta1.AuditAnnotation, len(*in))
copy(*out, *in)
}
if in.Variables != nil {
in, out := &in.Variables, &out.Variables
*out = make([]v1alpha1.Variable, len(*in))
*out = make([]v1beta1.Variable, len(*in))
copy(*out, *in)
}
return
@ -1384,7 +1384,7 @@ func (in *Rule) DeepCopyInto(out *Rule) {
}
if in.CELPreconditions != nil {
in, out := &in.CELPreconditions, &out.CELPreconditions
*out = make([]v1alpha1.MatchCondition, len(*in))
*out = make([]v1beta1.MatchCondition, len(*in))
copy(*out, *in)
}
in.Mutation.DeepCopyInto(&out.Mutation)

74
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -143,7 +143,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -2963,10 +2963,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -2995,7 +2999,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -3061,7 +3066,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -3078,6 +3084,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -4897,7 +4904,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -7758,10 +7765,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -7790,7 +7801,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -7856,7 +7868,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -7873,6 +7886,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -12272,10 +12286,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12304,7 +12322,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -12370,7 +12389,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -12387,6 +12407,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -14264,7 +14285,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -17125,10 +17146,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17157,7 +17182,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17223,7 +17249,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -17240,6 +17267,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

74
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -144,7 +144,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -2964,10 +2964,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -2996,7 +3000,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -3062,7 +3067,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -3079,6 +3085,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -4899,7 +4906,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -7760,10 +7767,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -7792,7 +7803,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -7858,7 +7870,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -7875,6 +7888,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -12275,10 +12289,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12307,7 +12325,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -12373,7 +12392,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -12390,6 +12410,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -14267,7 +14288,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -17128,10 +17149,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17160,7 +17185,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17226,7 +17252,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -17243,6 +17270,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

14
cmd/cli/kubectl-kyverno/commands/apply/command.go
View file

@ -33,7 +33,7 @@ import (
gitutils "github.com/kyverno/kyverno/pkg/utils/git"
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
"github.com/spf13/cobra"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
@ -222,8 +222,8 @@ func (c *ApplyCommandConfig) getMutateLogPathIsDir(skipInvalidPolicies SkippedIn
}
func (c *ApplyCommandConfig) applyValidatingAdmissionPolicytoResource(
vaps []v1alpha1.ValidatingAdmissionPolicy,
vapBindings []v1alpha1.ValidatingAdmissionPolicyBinding,
vaps []admissionregistrationv1beta1.ValidatingAdmissionPolicy,
vapBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
resources []*unstructured.Unstructured,
namespaceSelectorMap map[string]map[string]string,
rc *processor.ResultCounts,
@ -322,7 +322,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
return &rc, resources, responses, nil
}
func (c *ApplyCommandConfig) loadResources(out io.Writer, policies []kyvernov1.PolicyInterface, vap []v1alpha1.ValidatingAdmissionPolicy, dClient dclient.Interface) ([]*unstructured.Unstructured, error) {
func (c *ApplyCommandConfig) loadResources(out io.Writer, policies []kyvernov1.PolicyInterface, vap []admissionregistrationv1beta1.ValidatingAdmissionPolicy, dClient dclient.Interface) ([]*unstructured.Unstructured, error) {
resources, err := common.GetResourceAccordingToResourcePath(out, nil, c.ResourcePaths, c.Cluster, policies, vap, dClient, c.Namespace, c.PolicyReport, "")
if err != nil {
return resources, fmt.Errorf("failed to load resources (%w)", err)
@ -330,11 +330,11 @@ func (c *ApplyCommandConfig) loadResources(out io.Writer, policies []kyvernov1.P
return resources, nil
}
func (c *ApplyCommandConfig) loadPolicies(skipInvalidPolicies SkippedInvalidPolicies) (*processor.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, []kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, []v1alpha1.ValidatingAdmissionPolicyBinding, error) {
func (c *ApplyCommandConfig) loadPolicies(skipInvalidPolicies SkippedInvalidPolicies) (*processor.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, []kyvernov1.PolicyInterface, []admissionregistrationv1beta1.ValidatingAdmissionPolicy, []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
// load policies
var policies []kyvernov1.PolicyInterface
var vaps []v1alpha1.ValidatingAdmissionPolicy
var vapBindings []v1alpha1.ValidatingAdmissionPolicyBinding
var vaps []admissionregistrationv1beta1.ValidatingAdmissionPolicy
var vapBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
for _, path := range c.PolicyPaths {
isGit := source.IsGit(path)

202
cmd/cli/kubectl-kyverno/config/crds/cli.kyverno.io_tests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: tests.cli.kyverno.io
spec:
group: cli.kyverno.io
@ -20,10 +20,47 @@ spec:
description: Test declares a test
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
checks:
description: Checks are the verifications to be checked in the test
items:
properties:
assert:
description: Assert contains assertion to be performed on the relevant
rule responses
type: object
x-kubernetes-preserve-unknown-fields: true
error:
description: Error contains negative assertion to be performed on
the relevant rule responses
type: object
x-kubernetes-preserve-unknown-fields: true
match:
description: Match tells how to match relevant rule responses
properties:
policy:
description: Policy filters engine responses
type: object
x-kubernetes-preserve-unknown-fields: true
resource:
description: Resource filters engine responses
type: object
x-kubernetes-preserve-unknown-fields: true
rule:
description: Rule filters rule responses
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- assert
- error
type: object
type: array
exceptions:
description: Policy Exceptions are the policy exceptions to be used in
the test
@ -31,15 +68,19 @@ spec:
type: string
type: array
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
name:
description: Name is the name of the test. This field is deprecated, use
`metadata.name` instead
description: |-
Name is the name of the test.
This field is deprecated, use `metadata.name` instead
type: string
policies:
description: Policies are the policies to be used in the test
@ -57,41 +98,41 @@ spec:
description: TestResultBase declares a test result
properties:
cloneSourceResource:
description: CloneSourceResource takes the resource configuration
file in yaml format from the user which is meant to be cloned
by the generate rule.
description: |-
CloneSourceResource takes the resource configuration file in yaml format
from the user which is meant to be cloned by the generate rule.
type: string
generatedResource:
description: GeneratedResource takes a resource configuration file
in yaml format from the user to compare it against the Kyverno
generated resource configuration.
description: |-
GeneratedResource takes a resource configuration file in yaml format from
the user to compare it against the Kyverno generated resource configuration.
type: string
isValidatingAdmissionPolicy:
description: IsValidatingAdmissionPolicy indicates if the policy
is a validating admission policy. It's required in case policy
is a validating admission policy.
description: |-
IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
It's required in case policy is a validating admission policy.
type: boolean
kind:
description: Kind mentions the kind of the resource on which the
policy is to be applied.
type: string
namespace:
description: Namespace mentions the namespace of the policy which
has namespace scope. This is DEPRECATED, use a name in the form
`<namespace>/<name>` for policies and/or resources instead.
description: |-
Namespace mentions the namespace of the policy which has namespace scope.
This is DEPRECATED, use a name in the form `<namespace>/<name>` for policies and/or resources instead.
type: string
patchedResource:
description: PatchedResource takes a resource configuration file
in yaml format from the user to compare it against the Kyverno
mutated resource configuration.
description: |-
PatchedResource takes a resource configuration file in yaml format from
the user to compare it against the Kyverno mutated resource configuration.
type: string
policy:
description: Policy mentions the name of the policy.
type: string
resource:
description: Resource mentions the name of the resource on which
the policy is to be applied. This is DEPRECATED, use `Resources`
instead.
description: |-
Resource mentions the name of the resource on which the policy is to be applied.
This is DEPRECATED, use `Resources` instead.
type: string
resources:
description: Resources gives us the list of resources on which the
@ -100,7 +141,8 @@ spec:
type: string
type: array
result:
description: Result mentions the result that the user is expecting.
description: |-
Result mentions the result that the user is expecting.
Possible values are pass, fail and skip.
enum:
- pass
@ -110,13 +152,15 @@ spec:
- skip
type: string
rule:
description: Rule mentions the name of the rule in the policy. It's
required in case policy is a kyverno policy.
description: |-
Rule mentions the name of the rule in the policy.
It's required in case policy is a kyverno policy.
type: string
status:
description: Status mentions the status that the user is expecting.
Possible values are pass, fail and skip. This is DEPRECATED, use
`Result` instead.
description: |-
Status mentions the status that the user is expecting.
Possible values are pass, fail and skip.
This is DEPRECATED, use `Result` instead.
enum:
- pass
- fail
@ -223,11 +267,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For
subresources, this may have a different value, for example:
Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo'
@ -246,36 +290,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status
on a single item and both singular and plural are allowed
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the
version this resource is converted to when written to
the data store. Value must be treated as opaque by clients.
Only equality comparison on the value is valid. This is
an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the StorageVersionHash
feature gate is enabled. This field will remain optional
even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this
includes get, list, watch, create, update, patch, delete,
deletecollection, and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For
subresources, this may have a different value, for example:
v1 (while inside a v1beta1 version of the core resource''s
group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind
@ -293,11 +335,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For
subresources, this may have a different value, for example:
Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo'
@ -316,36 +358,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status
on a single item and both singular and plural are allowed
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the
version this resource is converted to when written to
the data store. Value must be treated as opaque by clients.
Only equality comparison on the value is valid. This is
an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the StorageVersionHash
feature gate is enabled. This field will remain optional
even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this
includes get, list, watch, create, update, patch, delete,
deletecollection, and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For
subresources, this may have a different value, for example:
v1 (while inside a v1beta1 version of the core resource''s
group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind

27
cmd/cli/kubectl-kyverno/config/crds/cli.kyverno.io_userinfoes.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: userinfoes.cli.kyverno.io
spec:
group: cli.kyverno.io
@ -20,9 +20,11 @@ spec:
description: UserInfo declares user infos to be loaded by the Kyverno CLI
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles send the
@ -32,9 +34,12 @@ spec:
nullable: true
type: array
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@ -60,10 +65,12 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
uid:
description: A unique value that identifies this user across time.
If this user is deleted and another user by the same name is added,
they will have different UIDs.
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
different UIDs.
type: string
username:
description: The name that uniquely identifies this user among all

109
cmd/cli/kubectl-kyverno/config/crds/cli.kyverno.io_values.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: values.cli.kyverno.io
spec:
group: cli.kyverno.io
@ -20,18 +20,23 @@ spec:
description: Values declares values to be loaded by the Kyverno CLI
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
globalValues:
description: GlobalValues are the global values
type: object
x-kubernetes-preserve-unknown-fields: true
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@ -116,10 +121,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For subresources,
this may have a different value, for example: Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo' is
@ -138,34 +144,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely. The
singularName is more correct for reporting status on a single
item and both singular and plural are allowed from the kubectl
CLI interface.
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the version
this resource is converted to when written to the data store.
Value must be treated as opaque by clients. Only equality
comparison on the value is valid. This is an alpha feature
and may change or be removed in the future. The field is populated
by the apiserver only if the StorageVersionHash feature gate
is enabled. This field will remain optional even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this includes
get, list, watch, create, update, patch, delete, deletecollection,
and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For subresources,
this may have a different value, for example: v1 (while inside
a v1beta1 version of the core resource''s group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind
@ -183,10 +189,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For subresources,
this may have a different value, for example: Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo' is
@ -205,34 +212,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely. The
singularName is more correct for reporting status on a single
item and both singular and plural are allowed from the kubectl
CLI interface.
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the version
this resource is converted to when written to the data store.
Value must be treated as opaque by clients. Only equality
comparison on the value is valid. This is an alpha feature
and may change or be removed in the future. The field is populated
by the apiserver only if the StorageVersionHash feature gate
is enabled. This field will remain optional even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this includes
get, list, watch, create, update, patch, delete, deletecollection,
and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For subresources,
this may have a different value, for example: v1 (while inside
a v1beta1 version of the core resource''s group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind

202
cmd/cli/kubectl-kyverno/data/crds/cli.kyverno.io_tests.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: tests.cli.kyverno.io
spec:
group: cli.kyverno.io
@ -20,10 +20,47 @@ spec:
description: Test declares a test
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
checks:
description: Checks are the verifications to be checked in the test
items:
properties:
assert:
description: Assert contains assertion to be performed on the relevant
rule responses
type: object
x-kubernetes-preserve-unknown-fields: true
error:
description: Error contains negative assertion to be performed on
the relevant rule responses
type: object
x-kubernetes-preserve-unknown-fields: true
match:
description: Match tells how to match relevant rule responses
properties:
policy:
description: Policy filters engine responses
type: object
x-kubernetes-preserve-unknown-fields: true
resource:
description: Resource filters engine responses
type: object
x-kubernetes-preserve-unknown-fields: true
rule:
description: Rule filters rule responses
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- assert
- error
type: object
type: array
exceptions:
description: Policy Exceptions are the policy exceptions to be used in
the test
@ -31,15 +68,19 @@ spec:
type: string
type: array
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
name:
description: Name is the name of the test. This field is deprecated, use
`metadata.name` instead
description: |-
Name is the name of the test.
This field is deprecated, use `metadata.name` instead
type: string
policies:
description: Policies are the policies to be used in the test
@ -57,41 +98,41 @@ spec:
description: TestResultBase declares a test result
properties:
cloneSourceResource:
description: CloneSourceResource takes the resource configuration
file in yaml format from the user which is meant to be cloned
by the generate rule.
description: |-
CloneSourceResource takes the resource configuration file in yaml format
from the user which is meant to be cloned by the generate rule.
type: string
generatedResource:
description: GeneratedResource takes a resource configuration file
in yaml format from the user to compare it against the Kyverno
generated resource configuration.
description: |-
GeneratedResource takes a resource configuration file in yaml format from
the user to compare it against the Kyverno generated resource configuration.
type: string
isValidatingAdmissionPolicy:
description: IsValidatingAdmissionPolicy indicates if the policy
is a validating admission policy. It's required in case policy
is a validating admission policy.
description: |-
IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
It's required in case policy is a validating admission policy.
type: boolean
kind:
description: Kind mentions the kind of the resource on which the
policy is to be applied.
type: string
namespace:
description: Namespace mentions the namespace of the policy which
has namespace scope. This is DEPRECATED, use a name in the form
`<namespace>/<name>` for policies and/or resources instead.
description: |-
Namespace mentions the namespace of the policy which has namespace scope.
This is DEPRECATED, use a name in the form `<namespace>/<name>` for policies and/or resources instead.
type: string
patchedResource:
description: PatchedResource takes a resource configuration file
in yaml format from the user to compare it against the Kyverno
mutated resource configuration.
description: |-
PatchedResource takes a resource configuration file in yaml format from
the user to compare it against the Kyverno mutated resource configuration.
type: string
policy:
description: Policy mentions the name of the policy.
type: string
resource:
description: Resource mentions the name of the resource on which
the policy is to be applied. This is DEPRECATED, use `Resources`
instead.
description: |-
Resource mentions the name of the resource on which the policy is to be applied.
This is DEPRECATED, use `Resources` instead.
type: string
resources:
description: Resources gives us the list of resources on which the
@ -100,7 +141,8 @@ spec:
type: string
type: array
result:
description: Result mentions the result that the user is expecting.
description: |-
Result mentions the result that the user is expecting.
Possible values are pass, fail and skip.
enum:
- pass
@ -110,13 +152,15 @@ spec:
- skip
type: string
rule:
description: Rule mentions the name of the rule in the policy. It's
required in case policy is a kyverno policy.
description: |-
Rule mentions the name of the rule in the policy.
It's required in case policy is a kyverno policy.
type: string
status:
description: Status mentions the status that the user is expecting.
Possible values are pass, fail and skip. This is DEPRECATED, use
`Result` instead.
description: |-
Status mentions the status that the user is expecting.
Possible values are pass, fail and skip.
This is DEPRECATED, use `Result` instead.
enum:
- pass
- fail
@ -223,11 +267,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For
subresources, this may have a different value, for example:
Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo'
@ -246,36 +290,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status
on a single item and both singular and plural are allowed
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the
version this resource is converted to when written to
the data store. Value must be treated as opaque by clients.
Only equality comparison on the value is valid. This is
an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the StorageVersionHash
feature gate is enabled. This field will remain optional
even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this
includes get, list, watch, create, update, patch, delete,
deletecollection, and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For
subresources, this may have a different value, for example:
v1 (while inside a v1beta1 version of the core resource''s
group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind
@ -293,11 +335,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For
subresources, this may have a different value, for example:
Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo'
@ -316,36 +358,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status
on a single item and both singular and plural are allowed
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the
version this resource is converted to when written to
the data store. Value must be treated as opaque by clients.
Only equality comparison on the value is valid. This is
an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the StorageVersionHash
feature gate is enabled. This field will remain optional
even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this
includes get, list, watch, create, update, patch, delete,
deletecollection, and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For
subresources, this may have a different value, for example:
v1 (while inside a v1beta1 version of the core resource''s
group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind

27
cmd/cli/kubectl-kyverno/data/crds/cli.kyverno.io_userinfoes.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: userinfoes.cli.kyverno.io
spec:
group: cli.kyverno.io
@ -20,9 +20,11 @@ spec:
description: UserInfo declares user infos to be loaded by the Kyverno CLI
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles send the
@ -32,9 +34,12 @@ spec:
nullable: true
type: array
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@ -60,10 +65,12 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
uid:
description: A unique value that identifies this user across time.
If this user is deleted and another user by the same name is added,
they will have different UIDs.
description: |-
A unique value that identifies this user across time. If this user is
deleted and another user by the same name is added, they will have
different UIDs.
type: string
username:
description: The name that uniquely identifies this user among all

109
cmd/cli/kubectl-kyverno/data/crds/cli.kyverno.io_values.yaml
View file

@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
controller-gen.kubebuilder.io/version: v0.15.0
name: values.cli.kyverno.io
spec:
group: cli.kyverno.io
@ -20,18 +20,23 @@ spec:
description: Values declares values to be loaded by the Kyverno CLI
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
globalValues:
description: GlobalValues are the global values
type: object
x-kubernetes-preserve-unknown-fields: true
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
@ -116,10 +121,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For subresources,
this may have a different value, for example: Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo' is
@ -138,34 +144,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely. The
singularName is more correct for reporting status on a single
item and both singular and plural are allowed from the kubectl
CLI interface.
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the version
this resource is converted to when written to the data store.
Value must be treated as opaque by clients. Only equality
comparison on the value is valid. This is an alpha feature
and may change or be removed in the future. The field is populated
by the apiserver only if the StorageVersionHash feature gate
is enabled. This field will remain optional even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this includes
get, list, watch, create, update, patch, delete, deletecollection,
and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For subresources,
this may have a different value, for example: v1 (while inside
a v1beta1 version of the core resource''s group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind
@ -183,10 +189,11 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
group:
description: 'group is the preferred group of the resource. Empty
implies the group of the containing resource list. For subresources,
this may have a different value, for example: Scale".'
description: |-
group is the preferred group of the resource. Empty implies the group of the containing resource list.
For subresources, this may have a different value, for example: Scale".
type: string
kind:
description: kind is the kind for the resource (e.g. 'Foo' is
@ -205,34 +212,34 @@ spec:
items:
type: string
type: array
x-kubernetes-list-type: atomic
singularName:
description: singularName is the singular name of the resource. This
allows clients to handle plural and singular opaquely. The
singularName is more correct for reporting status on a single
item and both singular and plural are allowed from the kubectl
CLI interface.
description: |-
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
from the kubectl CLI interface.
type: string
storageVersionHash:
description: The hash value of the storage version, the version
this resource is converted to when written to the data store.
Value must be treated as opaque by clients. Only equality
comparison on the value is valid. This is an alpha feature
and may change or be removed in the future. The field is populated
by the apiserver only if the StorageVersionHash feature gate
is enabled. This field will remain optional even if it graduates.
description: |-
The hash value of the storage version, the version this resource is
converted to when written to the data store. Value must be treated
as opaque by clients. Only equality comparison on the value is valid.
This is an alpha feature and may change or be removed in the future.
The field is populated by the apiserver only if the
StorageVersionHash feature gate is enabled.
This field will remain optional even if it graduates.
type: string
verbs:
description: verbs is a list of supported kube verbs (this includes
get, list, watch, create, update, patch, delete, deletecollection,
and proxy)
description: |-
verbs is a list of supported kube verbs (this includes get, list, watch, create,
update, patch, delete, deletecollection, and proxy)
items:
type: string
type: array
version:
description: 'version is the preferred version of the resource. Empty
implies the version of the containing resource list For subresources,
this may have a different value, for example: v1 (while inside
a v1beta1 version of the core resource''s group)".'
description: |-
version is the preferred version of the resource. Empty implies the version of the containing resource list
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
type: string
required:
- kind

74
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -137,7 +137,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -2957,10 +2957,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -2989,7 +2993,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -3055,7 +3060,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -3072,6 +3078,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -4891,7 +4898,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -7752,10 +7759,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -7784,7 +7795,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -7850,7 +7862,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -7867,6 +7880,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -12266,10 +12280,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12298,7 +12316,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -12364,7 +12383,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -12381,6 +12401,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -14258,7 +14279,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -17119,10 +17140,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17151,7 +17176,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17217,7 +17243,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -17234,6 +17261,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

74
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -138,7 +138,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -2958,10 +2958,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -2990,7 +2994,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -3056,7 +3061,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -3073,6 +3079,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -4893,7 +4900,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -7754,10 +7761,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -7786,7 +7797,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -7852,7 +7864,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -7869,6 +7882,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -12269,10 +12283,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12301,7 +12319,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -12367,7 +12386,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -12384,6 +12404,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -14261,7 +14282,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -17122,10 +17143,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17154,7 +17179,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17220,7 +17246,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -17237,6 +17264,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

15
cmd/cli/kubectl-kyverno/policy/load.go
View file

@ -21,7 +21,6 @@ import (
extyaml "github.com/kyverno/kyverno/ext/yaml"
"github.com/kyverno/kyverno/pkg/utils/git"
"github.com/pkg/errors"
"k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/runtime/schema"
"sigs.k8s.io/kubectl-validate/pkg/openapiclient"
@ -32,9 +31,7 @@ var (
policyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("Policy")
clusterPolicyV1 = schema.GroupVersion(kyvernov1.GroupVersion).WithKind("ClusterPolicy")
clusterPolicyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("ClusterPolicy")
vapV1alpha1 = v1alpha1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
vapV1Beta1 = v1beta1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
vapBindingV1alpha1 = v1alpha1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
vapBindingV1beta1 = v1beta1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
LegacyLoader = legacyLoader
KubectlValidateLoader = kubectlValidateLoader
@ -54,8 +51,8 @@ type LoaderError struct {
type LoaderResults struct {
Policies []kyvernov1.PolicyInterface
VAPs []v1alpha1.ValidatingAdmissionPolicy
VAPBindings []v1alpha1.ValidatingAdmissionPolicyBinding
VAPs []v1beta1.ValidatingAdmissionPolicy
VAPBindings []v1beta1.ValidatingAdmissionPolicyBinding
NonFatalErrors []LoaderError
}
@ -159,14 +156,14 @@ func kubectlValidateLoader(path string, content []byte) (*LoaderResults, error)
return nil, err
}
results.Policies = append(results.Policies, typed)
case vapV1alpha1, vapV1Beta1:
typed, err := convert.To[v1alpha1.ValidatingAdmissionPolicy](untyped)
case vapV1Beta1:
typed, err := convert.To[v1beta1.ValidatingAdmissionPolicy](untyped)
if err != nil {
return nil, err
}
results.VAPs = append(results.VAPs, *typed)
case vapBindingV1alpha1, vapBindingV1beta1:
typed, err := convert.To[v1alpha1.ValidatingAdmissionPolicyBinding](untyped)
case vapBindingV1beta1:
typed, err := convert.To[v1beta1.ValidatingAdmissionPolicyBinding](untyped)
if err != nil {
return nil, err
}

6
cmd/cli/kubectl-kyverno/policy/load_test.go
View file

@ -6,7 +6,7 @@ import (
"github.com/go-git/go-billy/v5"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/stretchr/testify/assert"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
)
func TestLoad(t *testing.T) {
@ -85,7 +85,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
resourcePath string
paths []string
wantErr bool
checks func(*testing.T, []kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy)
checks func(*testing.T, []kyvernov1.PolicyInterface, []admissionregistrationv1beta1.ValidatingAdmissionPolicy)
}{{
name: "cpol-limit-configmap-for-sa",
fs: nil,
@ -104,7 +104,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
resourcePath: "",
paths: []string{"../_testdata/policies/check-image.yaml"},
wantErr: false,
checks: func(t *testing.T, policies []kyvernov1.PolicyInterface, vaps []v1alpha1.ValidatingAdmissionPolicy) {
checks: func(t *testing.T, policies []kyvernov1.PolicyInterface, vaps []admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
assert.Len(t, policies, 1)
policy := policies[0]
assert.NotNil(t, policy)

6
cmd/cli/kubectl-kyverno/processor/vap_processor.go
View file

@ -4,13 +4,13 @@ import (
"github.com/kyverno/kyverno/pkg/clients/dclient"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
type ValidatingAdmissionPolicyProcessor struct {
Policies []v1alpha1.ValidatingAdmissionPolicy
Bindings []v1alpha1.ValidatingAdmissionPolicyBinding
Policies []admissionregistrationv1beta1.ValidatingAdmissionPolicy
Bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
Resource *unstructured.Unstructured
NamespaceSelectorMap map[string]map[string]string
PolicyReport bool

4
cmd/cli/kubectl-kyverno/utils/common/common.go
View file

@ -16,7 +16,7 @@ import (
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/clients/dclient"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
@ -30,7 +30,7 @@ func GetResourceAccordingToResourcePath(
resourcePaths []string,
cluster bool,
policies []kyvernov1.PolicyInterface,
validatingAdmissionPolicies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy,
validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy,
dClient dclient.Interface,
namespace string,
policyReport bool,

6
cmd/cli/kubectl-kyverno/utils/common/fetch.go
View file

@ -16,7 +16,7 @@ import (
"github.com/kyverno/kyverno/pkg/clients/dclient"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
@ -29,7 +29,7 @@ import (
func GetResources(
out io.Writer,
policies []kyvernov1.PolicyInterface,
validatingAdmissionPolicies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy,
validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy,
resourcePaths []string,
dClient dclient.Interface,
cluster bool,
@ -250,7 +250,7 @@ func GetKindsFromRule(rule kyvernov1.Rule, client dclient.Interface) (map[schema
return resourceTypesMap, subresourceMap
}
func getKindsFromValidatingAdmissionPolicy(policy admissionregistrationv1alpha1.ValidatingAdmissionPolicy, client dclient.Interface) (map[schema.GroupVersionKind]bool, map[schema.GroupVersionKind]v1alpha1.Subresource) {
func getKindsFromValidatingAdmissionPolicy(policy admissionregistrationv1beta1.ValidatingAdmissionPolicy, client dclient.Interface) (map[schema.GroupVersionKind]bool, map[schema.GroupVersionKind]v1alpha1.Subresource) {
resourceTypesMap := make(map[schema.GroupVersionKind]bool)
subresourceMap := make(map[schema.GroupVersionKind]v1alpha1.Subresource)

4
cmd/cli/kubectl-kyverno/utils/common/validating_admission_resources.go
View file

@ -5,13 +5,13 @@ import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
)
type ValidatingAdmissionResources struct {
policies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy
policies []admissionregistrationv1beta1.ValidatingAdmissionPolicy
}
func (r *ValidatingAdmissionResources) FetchResourcesFromPolicy(out io.Writer, resourcePaths []string, dClient dclient.Interface, namespace string, policyReport bool) ([]*unstructured.Unstructured, error) {

4
cmd/kyverno/main.go
View file

@ -222,8 +222,8 @@ func createrLeaderControllers(
dynamicClient.Discovery(),
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
kyvernoInformer.Kyverno().V2().PolicyExceptions(),
kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings(),
kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings(),
eventGenerator,
checker,
)

10
cmd/reports-controller/main.go
View file

@ -29,7 +29,7 @@ import (
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
kubeinformers "k8s.io/client-go/informers"
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
)
@ -68,12 +68,12 @@ func createReportControllers(
) ([]internal.Controller, func(context.Context) error) {
var ctrls []internal.Controller
var warmups []func(context.Context) error
var vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer
var vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer
var vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer
var vapBindingInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyBindingInformer
// check if validating admission policies are registered in the API server
if validatingAdmissionPolicyReports {
vapInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies()
vapBindingInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings()
vapInformer = kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicies()
vapBindingInformer = kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings()
}
kyvernoV1 := kyvernoInformer.Kyverno().V1()
kyvernoV2 := kyvernoInformer.Kyverno().V2()

74
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -137,7 +137,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -2957,10 +2957,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -2989,7 +2993,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -3055,7 +3060,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -3072,6 +3078,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -4891,7 +4898,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -7752,10 +7759,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -7784,7 +7795,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -7850,7 +7862,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -7867,6 +7880,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -12266,10 +12280,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12298,7 +12316,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -12364,7 +12383,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -12381,6 +12401,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -14258,7 +14279,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -17119,10 +17140,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17151,7 +17176,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17217,7 +17243,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -17234,6 +17261,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

74
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -138,7 +138,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -2958,10 +2958,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -2990,7 +2994,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -3056,7 +3061,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -3073,6 +3079,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -4893,7 +4900,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -7754,10 +7761,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -7786,7 +7797,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -7852,7 +7864,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -7869,6 +7882,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -12269,10 +12283,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12301,7 +12319,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -12367,7 +12386,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -12384,6 +12404,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -14261,7 +14282,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -17122,10 +17143,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17154,7 +17179,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17220,7 +17246,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -17237,6 +17264,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

148
config/install-latest-testing.yaml
View file

@ -5291,7 +5291,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -8111,10 +8111,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -8143,7 +8147,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -8209,7 +8214,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -8226,6 +8232,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -10045,7 +10052,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -12906,10 +12913,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -12938,7 +12949,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -13004,7 +13016,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -13021,6 +13034,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -17420,10 +17434,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -17452,7 +17470,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -17518,7 +17537,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -17535,6 +17555,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -19412,7 +19433,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -22273,10 +22294,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -22305,7 +22330,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -22371,7 +22397,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -22388,6 +22415,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -24558,7 +24586,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which must
by fulfilled for a request to be sent to a webhook.
be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -27378,10 +27406,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -27410,7 +27442,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -27476,7 +27509,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -27493,6 +27527,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -29313,7 +29348,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -32174,10 +32209,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -32206,7 +32245,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -32272,7 +32312,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -32289,6 +32330,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -36689,10 +36731,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -36721,7 +36767,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -36787,7 +36834,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is defined
as a named expression.
properties:
expression:
description: |-
@ -36804,6 +36852,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
@ -38681,7 +38730,7 @@ spec:
set of CEL conditions. It can only be used with the validate.cel subrule
items:
description: MatchCondition represents a condition which
must by fulfilled for a request to be sent to a webhook.
must be fulfilled for a request to be sent to a webhook.
properties:
expression:
description: |-
@ -41542,10 +41591,14 @@ spec:
properties:
name:
description: |-
`name` is the name of the resource being referenced.
name is the name of the resource being referenced.
`name` and `selector` are mutually exclusive properties. If one is set,
the other must be unset.
One of `name` or `selector` must be set, but `name` and `selector` are
mutually exclusive properties. If one is set, the other must be unset.
A single parameter used for all admission requests can be configured
by setting the `name` field, leaving `selector` blank, and setting namespace
if `paramKind` is namespace-scoped.
type: string
namespace:
description: |-
@ -41574,7 +41627,8 @@ spec:
`failurePolicy` of the policy.
Allowed values are `Allow` or `Deny`
Default to `Deny`
Required
type: string
selector:
description: |-
@ -41640,7 +41694,8 @@ spec:
The variables defined here will be available under `variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
that is used for composition. A variable is
defined as a named expression.
properties:
expression:
description: |-
@ -41657,6 +41712,7 @@ spec:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:

24
docs/user/crd/index.html
View file

@ -1001,8 +1001,8 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<td>
<code>expressions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1alpha1-admissionregistration">
[]Kubernetes admissionregistration/v1alpha1.Validation
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1beta1-admissionregistration">
[]Kubernetes admissionregistration/v1beta1.Validation
</a>
</em>
</td>
@ -1014,8 +1014,8 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<td>
<code>paramKind</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramkind-v1alpha1-admissionregistration">
Kubernetes admissionregistration/v1alpha1.ParamKind
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramkind-v1beta1-admissionregistration">
Kubernetes admissionregistration/v1beta1.ParamKind
</a>
</em>
</td>
@ -1028,8 +1028,8 @@ Kubernetes admissionregistration/v1alpha1.ParamKind
<td>
<code>paramRef</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramref-v1alpha1-admissionregistration">
Kubernetes admissionregistration/v1alpha1.ParamRef
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramref-v1beta1-admissionregistration">
Kubernetes admissionregistration/v1beta1.ParamRef
</a>
</em>
</td>
@ -1042,8 +1042,8 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
<td>
<code>auditAnnotations</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1alpha1-admissionregistration">
[]Kubernetes admissionregistration/v1alpha1.AuditAnnotation
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1beta1-admissionregistration">
[]Kubernetes admissionregistration/v1beta1.AuditAnnotation
</a>
</em>
</td>
@ -1056,8 +1056,8 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
<td>
<code>variables</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1alpha1-admissionregistration">
[]Kubernetes admissionregistration/v1alpha1.Variable
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1beta1-admissionregistration">
[]Kubernetes admissionregistration/v1beta1.Variable
</a>
</em>
</td>
@ -3895,8 +3895,8 @@ See: <a href="https://kyverno.io/docs/writing-policies/preconditions/">https://k
<td>
<code>celPreconditions</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1alpha1-admissionregistration">
[]Kubernetes admissionregistration/v1alpha1.MatchCondition
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1beta1-admissionregistration">
[]Kubernetes admissionregistration/v1beta1.MatchCondition
</a>
</em>
</td>

12
docs/user/crd/kyverno.v1.html
View file

@ -2032,7 +2032,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<span style="font-family: monospace">[]admissionregistration/v1alpha1.Validation</span>
<span style="font-family: monospace">[]admissionregistration/v1beta1.Validation</span>
</td>
@ -2059,7 +2059,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<span style="font-family: monospace">admissionregistration/v1alpha1.ParamKind</span>
<span style="font-family: monospace">admissionregistration/v1beta1.ParamKind</span>
</td>
@ -2086,7 +2086,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<span style="font-family: monospace">admissionregistration/v1alpha1.ParamRef</span>
<span style="font-family: monospace">admissionregistration/v1beta1.ParamRef</span>
</td>
@ -2113,7 +2113,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<span style="font-family: monospace">[]admissionregistration/v1alpha1.AuditAnnotation</span>
<span style="font-family: monospace">[]admissionregistration/v1beta1.AuditAnnotation</span>
</td>
@ -2140,7 +2140,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
<span style="font-family: monospace">[]admissionregistration/v1alpha1.Variable</span>
<span style="font-family: monospace">[]admissionregistration/v1beta1.Variable</span>
</td>
@ -7726,7 +7726,7 @@ See: https://kyverno.io/docs/writing-policies/preconditions/</p>
<span style="font-family: monospace">[]admissionregistration/v1alpha1.MatchCondition</span>
<span style="font-family: monospace">[]admissionregistration/v1beta1.MatchCondition</span>
</td>

22
pkg/client/applyconfigurations/kyverno/v1/cel.go
View file

@ -19,17 +19,17 @@ limitations under the License.
package v1
import (
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
v1beta1 "k8s.io/api/admissionregistration/v1beta1"
)
// CELApplyConfiguration represents an declarative configuration of the CEL type for use
// with apply.
type CELApplyConfiguration struct {
Expressions []v1alpha1.Validation `json:"expressions,omitempty"`
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty"`
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty"`
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty"`
Variables []v1alpha1.Variable `json:"variables,omitempty"`
Expressions []v1beta1.Validation `json:"expressions,omitempty"`
ParamKind *v1beta1.ParamKind `json:"paramKind,omitempty"`
ParamRef *v1beta1.ParamRef `json:"paramRef,omitempty"`
AuditAnnotations []v1beta1.AuditAnnotation `json:"auditAnnotations,omitempty"`
Variables []v1beta1.Variable `json:"variables,omitempty"`
}
// CELApplyConfiguration constructs an declarative configuration of the CEL type for use with
@ -41,7 +41,7 @@ func CEL() *CELApplyConfiguration {
// WithExpressions adds the given value to the Expressions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Expressions field.
func (b *CELApplyConfiguration) WithExpressions(values ...v1alpha1.Validation) *CELApplyConfiguration {
func (b *CELApplyConfiguration) WithExpressions(values ...v1beta1.Validation) *CELApplyConfiguration {
for i := range values {
b.Expressions = append(b.Expressions, values[i])
}
@ -51,7 +51,7 @@ func (b *CELApplyConfiguration) WithExpressions(values ...v1alpha1.Validation) *
// WithParamKind sets the ParamKind field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ParamKind field is set to the value of the last call.
func (b *CELApplyConfiguration) WithParamKind(value v1alpha1.ParamKind) *CELApplyConfiguration {
func (b *CELApplyConfiguration) WithParamKind(value v1beta1.ParamKind) *CELApplyConfiguration {
b.ParamKind = &value
return b
}
@ -59,7 +59,7 @@ func (b *CELApplyConfiguration) WithParamKind(value v1alpha1.ParamKind) *CELAppl
// WithParamRef sets the ParamRef field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ParamRef field is set to the value of the last call.
func (b *CELApplyConfiguration) WithParamRef(value v1alpha1.ParamRef) *CELApplyConfiguration {
func (b *CELApplyConfiguration) WithParamRef(value v1beta1.ParamRef) *CELApplyConfiguration {
b.ParamRef = &value
return b
}
@ -67,7 +67,7 @@ func (b *CELApplyConfiguration) WithParamRef(value v1alpha1.ParamRef) *CELApplyC
// WithAuditAnnotations adds the given value to the AuditAnnotations field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the AuditAnnotations field.
func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnnotation) *CELApplyConfiguration {
func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1beta1.AuditAnnotation) *CELApplyConfiguration {
for i := range values {
b.AuditAnnotations = append(b.AuditAnnotations, values[i])
}
@ -77,7 +77,7 @@ func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnn
// WithVariables adds the given value to the Variables field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Variables field.
func (b *CELApplyConfiguration) WithVariables(values ...v1alpha1.Variable) *CELApplyConfiguration {
func (b *CELApplyConfiguration) WithVariables(values ...v1beta1.Variable) *CELApplyConfiguration {
for i := range values {
b.Variables = append(b.Variables, values[i])
}

6
pkg/client/applyconfigurations/kyverno/v1/rule.go
View file

@ -20,7 +20,7 @@ package v1
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
v1beta1 "k8s.io/api/admissionregistration/v1beta1"
)
// RuleApplyConfiguration represents an declarative configuration of the Rule type for use
@ -32,7 +32,7 @@ type RuleApplyConfiguration struct {
ExcludeResources *MatchResourcesApplyConfiguration `json:"exclude,omitempty"`
ImageExtractors *kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty"`
RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
CELPreconditions []v1alpha1.MatchCondition `json:"celPreconditions,omitempty"`
CELPreconditions []v1beta1.MatchCondition `json:"celPreconditions,omitempty"`
Mutation *MutationApplyConfiguration `json:"mutate,omitempty"`
Validation *ValidationApplyConfiguration `json:"validate,omitempty"`
Generation *GenerationApplyConfiguration `json:"generate,omitempty"`
@ -102,7 +102,7 @@ func (b *RuleApplyConfiguration) WithRawAnyAllConditions(value kyvernov1.Conditi
// WithCELPreconditions adds the given value to the CELPreconditions field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the CELPreconditions field.
func (b *RuleApplyConfiguration) WithCELPreconditions(values ...v1alpha1.MatchCondition) *RuleApplyConfiguration {
func (b *RuleApplyConfiguration) WithCELPreconditions(values ...v1beta1.MatchCondition) *RuleApplyConfiguration {
for i := range values {
b.CELPreconditions = append(b.CELPreconditions, values[i])
}

8
pkg/controllers/report/aggregate/controller.go
View file

@ -26,8 +26,8 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/dynamic"
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
@ -50,7 +50,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
ephrLister cache.GenericLister
cephrLister cache.GenericLister
@ -70,7 +70,7 @@ func NewController(
metadataFactory metadatainformers.SharedInformerFactory,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
) controllers.Controller {
ephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("ephemeralreports"))
cephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("clusterephemeralreports"))

32
pkg/controllers/report/background/controller.go
View file

@ -26,14 +26,14 @@ import (
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
corev1informers "k8s.io/client-go/informers/core/v1"
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
corev1listers "k8s.io/client-go/listers/core/v1"
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
"k8s.io/client-go/tools/cache"
@ -59,8 +59,8 @@ type controller struct {
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
polexLister kyvernov2listers.PolicyExceptionLister
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
vapBindingLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyBindingLister
bgscanrLister cache.GenericLister
cbgscanrLister cache.GenericLister
nsLister corev1listers.NamespaceLister
@ -87,8 +87,8 @@ func NewController(
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
polexInformer kyvernov2informers.PolicyExceptionInformer,
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
vapBindingInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyBindingInformer,
nsInformer corev1informers.NamespaceInformer,
metadataCache resource.MetadataCache,
forceDelay time.Duration,
@ -186,31 +186,31 @@ func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
c.enqueueResources()
}
func (c *controller) addVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) addVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
c.enqueueResources()
}
func (c *controller) updateVAP(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) updateVAP(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
if old.GetResourceVersion() != obj.GetResourceVersion() {
c.enqueueResources()
}
}
func (c *controller) deleteVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) deleteVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
c.enqueueResources()
}
func (c *controller) addVAPBinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) addVAPBinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
c.enqueueResources()
}
func (c *controller) updateVAPBinding(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) updateVAPBinding(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
if old.GetResourceVersion() != obj.GetResourceVersion() {
c.enqueueResources()
}
}
func (c *controller) deleteVAPBinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) deleteVAPBinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
c.enqueueResources()
}
@ -244,7 +244,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
}
}
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
// if the reportMetadata does not exist, we need a full reconcile
reportMetadata, err := c.getMeta(namespace, name)
if err != nil {
@ -304,7 +304,7 @@ func (c *controller) reconcileReport(
gvk schema.GroupVersionKind,
resource resource.Resource,
exceptions []kyvernov2.PolicyException,
bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding,
bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
policies ...engineapi.GenericPolicy,
) error {
// namespace labels to be used by the scanner
@ -528,7 +528,7 @@ func (c *controller) reconcile(ctx context.Context, log logr.Logger, key, namesp
policies = append(policies, engineapi.NewValidatingAdmissionPolicy(pol))
}
}
var vapBindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding
var vapBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
if c.vapBindingLister != nil {
// load validating admission policy bindings
vapBindings, err = utils.FetchValidatingAdmissionPolicyBindings(c.vapBindingLister)

8
pkg/controllers/report/resource/controller.go
View file

@ -23,8 +23,8 @@ import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/watch"
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
"k8s.io/client-go/tools/cache"
watchTools "k8s.io/client-go/tools/watch"
"k8s.io/client-go/util/workqueue"
@ -79,7 +79,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
// queue
queue workqueue.TypedRateLimitingInterface[any]
@ -93,7 +93,7 @@ func NewController(
client dclient.Interface,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
) Controller {
c := controller{
client: client,

6
pkg/controllers/report/utils/scanner.go
View file

@ -13,7 +13,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
"go.uber.org/multierr"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -31,7 +31,7 @@ type ScanResult struct {
}
type Scanner interface {
ScanResource(context.Context, unstructured.Unstructured, map[string]string, []v1alpha1.ValidatingAdmissionPolicyBinding, ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult
ScanResource(context.Context, unstructured.Unstructured, map[string]string, []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult
}
func NewScanner(
@ -50,7 +50,7 @@ func NewScanner(
}
}
func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstructured, nsLabels map[string]string, bindings []v1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult {
func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstructured, nsLabels map[string]string, bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult {
results := map[*engineapi.GenericPolicy]ScanResult{}
for i, policy := range policies {
var errors []error

12
pkg/controllers/report/utils/utils.go
View file

@ -10,11 +10,11 @@ import (
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/sets"
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
)
func CanBackgroundProcess(p kyvernov1.PolicyInterface) bool {
@ -125,8 +125,8 @@ func FetchPolicyExceptions(polexLister kyvernov2listers.PolicyExceptionLister, n
return exceptions, nil
}
func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister) ([]admissionregistrationv1alpha1.ValidatingAdmissionPolicy, error) {
var policies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy
func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister) ([]admissionregistrationv1beta1.ValidatingAdmissionPolicy, error) {
var policies []admissionregistrationv1beta1.ValidatingAdmissionPolicy
if pols, err := vapLister.List(labels.Everything()); err != nil {
return nil, err
} else {
@ -137,8 +137,8 @@ func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1alpha1lis
return policies, nil
}
func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister) ([]admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, error) {
var bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding
func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyBindingLister) ([]admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
var bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
if pols, err := vapBindingLister.List(labels.Everything()); err != nil {
return nil, err
} else {

54
pkg/controllers/validatingadmissionpolicy-generate/controller.go
View file

@ -22,13 +22,13 @@ import (
datautils "github.com/kyverno/kyverno/pkg/utils/data"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
"k8s.io/client-go/kubernetes"
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/workqueue"
)
@ -49,8 +49,8 @@ type controller struct {
// listers
cpolLister kyvernov1listers.ClusterPolicyLister
polexLister kyvernov2listers.PolicyExceptionLister
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
vapbindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
vapbindingLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyBindingLister
// queue
queue workqueue.TypedRateLimitingInterface[any]
@ -65,8 +65,8 @@ func NewController(
discoveryClient dclient.IDiscovery,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
polexInformer kyvernov2informers.PolicyExceptionInformer,
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
vapbindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
vapbindingInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyBindingInformer,
eventGen event.Interface,
checker checker.AuthChecker,
) controllers.Controller {
@ -188,22 +188,22 @@ func (c *controller) enqueueException(obj *kyvernov2.PolicyException) {
}
}
func (c *controller) addVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) addVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
c.enqueueVAP(obj)
}
func (c *controller) updateVAP(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) updateVAP(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
if datautils.DeepEqual(old.Spec, obj.Spec) {
return
}
c.enqueueVAP(obj)
}
func (c *controller) deleteVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) deleteVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
c.enqueueVAP(obj)
}
func (c *controller) enqueueVAP(v *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
func (c *controller) enqueueVAP(v *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
if len(v.OwnerReferences) == 1 {
if v.OwnerReferences[0].Kind == "ClusterPolicy" {
cpol, err := c.cpolLister.Get(v.OwnerReferences[0].Name)
@ -215,22 +215,22 @@ func (c *controller) enqueueVAP(v *admissionregistrationv1alpha1.ValidatingAdmis
}
}
func (c *controller) addVAPbinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) addVAPbinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
c.enqueueVAPbinding(obj)
}
func (c *controller) updateVAPbinding(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) updateVAPbinding(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
if datautils.DeepEqual(old.Spec, obj.Spec) {
return
}
c.enqueueVAPbinding(obj)
}
func (c *controller) deleteVAPbinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) deleteVAPbinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
c.enqueueVAPbinding(obj)
}
func (c *controller) enqueueVAPbinding(vb *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func (c *controller) enqueueVAPbinding(vb *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
if len(vb.OwnerReferences) == 1 {
if vb.OwnerReferences[0].Kind == "ClusterPolicy" {
cpol, err := c.cpolLister.Get(vb.OwnerReferences[0].Name)
@ -250,7 +250,7 @@ func (c *controller) getClusterPolicy(name string) (*kyvernov1.ClusterPolicy, er
return cpolicy, nil
}
func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1alpha1.ValidatingAdmissionPolicy, error) {
func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1beta1.ValidatingAdmissionPolicy, error) {
vap, err := c.vapLister.Get(name)
if err != nil {
return nil, err
@ -258,7 +258,7 @@ func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregist
return vap, nil
}
func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, error) {
func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
vapbinding, err := c.vapbindingLister.Get(name)
if err != nil {
return nil, err
@ -328,14 +328,14 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
if ok, msg := validatingadmissionpolicy.CanGenerateVAP(spec, exceptions); !ok {
// delete the ValidatingAdmissionPolicy if exist
if vapErr == nil {
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
if err != nil {
return err
}
}
// delete the ValidatingAdmissionPolicyBinding if exist
if vapBindingErr == nil {
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
if err != nil {
return err
}
@ -353,7 +353,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
c.updateClusterPolicyStatus(ctx, *policy, false, vapErr.Error())
return vapErr
}
observedVAP = &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
observedVAP = &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: vapName,
},
@ -365,7 +365,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
c.updateClusterPolicyStatus(ctx, *policy, false, vapBindingErr.Error())
return vapBindingErr
}
observedVAPbinding = &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
observedVAPbinding = &admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{
Name: vapBindingName,
},
@ -378,7 +378,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
}
_, err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, observedVAP, metav1.CreateOptions{})
_, err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, observedVAP, metav1.CreateOptions{})
if err != nil {
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
@ -387,8 +387,8 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
_, err = controllerutils.Update(
ctx,
observedVAP,
c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(),
func(observed *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) error {
c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
func(observed *admissionregistrationv1beta1.ValidatingAdmissionPolicy) error {
return validatingadmissionpolicy.BuildValidatingAdmissionPolicy(c.discoveryClient, observed, policy, exceptions)
})
if err != nil {
@ -403,7 +403,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
}
_, err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, observedVAPbinding, metav1.CreateOptions{})
_, err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, observedVAPbinding, metav1.CreateOptions{})
if err != nil {
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
@ -412,8 +412,8 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
_, err = controllerutils.Update(
ctx,
observedVAPbinding,
c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings(),
func(observed *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) error {
c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings(),
func(observed *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) error {
return validatingadmissionpolicy.BuildValidatingAdmissionPolicyBinding(observed, policy)
})
if err != nil {

14
pkg/engine/api/policy.go
View file

@ -2,7 +2,7 @@ package api
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -22,7 +22,7 @@ type GenericPolicy interface {
// AsKyvernoPolicy returns the kyverno policy
AsKyvernoPolicy() kyvernov1.PolicyInterface
// AsValidatingAdmissionPolicy returns the validating admission policy
AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
AsValidatingAdmissionPolicy() *admissionregistrationv1beta1.ValidatingAdmissionPolicy
// GetType returns policy type
GetType() PolicyType
// GetAPIVersion returns policy API version
@ -51,7 +51,7 @@ func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
return p.policy
}
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return nil
}
@ -98,14 +98,14 @@ func NewKyvernoPolicy(pol kyvernov1.PolicyInterface) GenericPolicy {
}
type ValidatingAdmissionPolicy struct {
policy v1alpha1.ValidatingAdmissionPolicy
policy admissionregistrationv1beta1.ValidatingAdmissionPolicy
}
func (p *ValidatingAdmissionPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
return nil
}
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return &p.policy
}
@ -114,7 +114,7 @@ func (p *ValidatingAdmissionPolicy) GetType() PolicyType {
}
func (p *ValidatingAdmissionPolicy) GetAPIVersion() string {
return "admissionregistration.k8s.io/v1alpha1"
return "admissionregistration.k8s.io/v1beta1"
}
func (p *ValidatingAdmissionPolicy) GetName() string {
@ -145,7 +145,7 @@ func (p *ValidatingAdmissionPolicy) MetaObject() metav1.Object {
return &p.policy
}
func NewValidatingAdmissionPolicy(pol v1alpha1.ValidatingAdmissionPolicy) GenericPolicy {
func NewValidatingAdmissionPolicy(pol admissionregistrationv1beta1.ValidatingAdmissionPolicy) GenericPolicy {
return &ValidatingAdmissionPolicy{
policy: pol,
}

8
pkg/engine/api/ruleresponse.go
View file

@ -5,7 +5,7 @@ import (
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/pod-security-admission/api"
@ -46,7 +46,7 @@ type RuleResponse struct {
// exceptions are the exceptions applied (if any)
exceptions []kyvernov2.PolicyException
// binding is the validatingadmissionpolicybinding (if any)
binding *v1alpha1.ValidatingAdmissionPolicyBinding
binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
// emitWarning enable passing rule message as warning to api server warning header
emitWarning bool
}
@ -93,7 +93,7 @@ func (r RuleResponse) WithExceptions(exceptions []kyvernov2.PolicyException) *Ru
return &r
}
func (r RuleResponse) WithBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding) *RuleResponse {
func (r RuleResponse) WithBinding(binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) *RuleResponse {
r.binding = binding
return &r
}
@ -133,7 +133,7 @@ func (r *RuleResponse) Exceptions() []kyvernov2.PolicyException {
return r.exceptions
}
func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAdmissionPolicyBinding {
func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding {
return r.binding
}

6
pkg/engine/handlers/validation/validate_cel.go
View file

@ -15,7 +15,7 @@ import (
celutils "github.com/kyverno/kyverno/pkg/utils/cel"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
vaputils "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -215,7 +215,7 @@ func (h validateCELHandler) Process(
)
}
func collectParams(ctx context.Context, client engineapi.Client, paramKind *admissionregistrationv1alpha1.ParamKind, paramRef *admissionregistrationv1alpha1.ParamRef, namespace string) ([]runtime.Object, error) {
func collectParams(ctx context.Context, client engineapi.Client, paramKind *admissionregistrationv1beta1.ParamKind, paramRef *admissionregistrationv1beta1.ParamRef, namespace string) ([]runtime.Object, error) {
var params []runtime.Object
apiVersion := paramKind.APIVersion
@ -266,7 +266,7 @@ func collectParams(ctx context.Context, client engineapi.Client, paramKind *admi
}
}
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == admissionregistrationv1alpha1.DenyAction {
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == admissionregistrationv1beta1.DenyAction {
return nil, fmt.Errorf("no params found")
}

4
pkg/event/events.go
View file

@ -347,7 +347,7 @@ func NewValidatingAdmissionPolicyEvent(policy kyvernov1.PolicyInterface, vapName
vapEvent := Info{
Regarding: regarding,
Related: &corev1.ObjectReference{
APIVersion: "admissionregistration.k8s.io/v1alpha1",
APIVersion: "admissionregistration.k8s.io/v1beta1",
Kind: "ValidatingAdmissionPolicy",
Name: vapName,
},
@ -359,7 +359,7 @@ func NewValidatingAdmissionPolicyEvent(policy kyvernov1.PolicyInterface, vapName
vapBindingEvent := Info{
Regarding: regarding,
Related: &corev1.ObjectReference{
APIVersion: "admissionregistration.k8s.io/v1alpha1",
APIVersion: "admissionregistration.k8s.io/v1beta1",
Kind: "ValidatingAdmissionPolicyBinding",
Name: vapBindingName,
},

14
pkg/utils/cel/cel.go
View file

@ -2,7 +2,7 @@ package cel
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apiserver/pkg/admission/plugin/cel"
"k8s.io/apiserver/pkg/admission/plugin/policy/validating"
"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
@ -12,17 +12,17 @@ import (
type Compiler struct {
compositedCompiler cel.CompositedCompiler
// CEL expressions
validateExpressions []admissionregistrationv1alpha1.Validation
auditAnnotationExpressions []admissionregistrationv1alpha1.AuditAnnotation
validateExpressions []admissionregistrationv1beta1.Validation
auditAnnotationExpressions []admissionregistrationv1beta1.AuditAnnotation
matchExpressions []admissionregistrationv1.MatchCondition
variables []admissionregistrationv1alpha1.Variable
variables []admissionregistrationv1beta1.Variable
}
func NewCompiler(
validations []admissionregistrationv1alpha1.Validation,
auditAnnotations []admissionregistrationv1alpha1.AuditAnnotation,
validations []admissionregistrationv1beta1.Validation,
auditAnnotations []admissionregistrationv1beta1.AuditAnnotation,
matchConditions []admissionregistrationv1.MatchCondition,
variables []admissionregistrationv1alpha1.Variable,
variables []admissionregistrationv1beta1.Variable,
) (*Compiler, error) {
compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
if err != nil {

4
pkg/utils/fuzz/policy_spec.go
View file

@ -6,7 +6,7 @@ import (
fuzz "github.com/AdaLogics/go-fuzz-headers"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
)
func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) {
@ -200,7 +200,7 @@ func createRule(f *fuzz.ConsumeFuzzer) (*kyvernov1.Rule, error) {
return rule, err
}
if setCELPreconditions {
celp := make([]admissionregistrationv1alpha1.MatchCondition, 0)
celp := make([]admissionregistrationv1beta1.MatchCondition, 0)
err = f.CreateSlice(&celp)
if err != nil {
return rule, err

6
pkg/utils/report/metadata.go
View file

@ -13,7 +13,7 @@ import (
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
@ -89,7 +89,7 @@ func PolicyExceptionLabel(exception kyvernov2.PolicyException) string {
return LabelPrefixPolicyException + exception.GetName()
}
func ValidatingAdmissionPolicyBindingLabel(binding admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) string {
func ValidatingAdmissionPolicyBindingLabel(binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) string {
return LabelPrefixValidatingAdmissionPolicyBinding + binding.GetName()
}
@ -168,7 +168,7 @@ func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyverno
controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
}
func SetValidatingAdmissionPolicyBindingLabel(report reportsv1.ReportInterface, binding admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
func SetValidatingAdmissionPolicyBindingLabel(report reportsv1.ReportInterface, binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
controllerutils.SetLabel(report, ValidatingAdmissionPolicyBindingLabel(binding), binding.GetResourceVersion())
}

10
pkg/utils/yaml/loadpolicy.go
View file

@ -8,14 +8,14 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
extyaml "github.com/kyverno/kyverno/ext/yaml"
log "github.com/kyverno/kyverno/pkg/logging"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/yaml"
)
// GetPolicy extracts policies from YAML bytes
func GetPolicy(bytes []byte) (policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []v1alpha1.ValidatingAdmissionPolicyBinding, err error) {
func GetPolicy(bytes []byte) (policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, err error) {
documents, err := extyaml.SplitDocuments(bytes)
if err != nil {
return nil, nil, nil, err
@ -51,11 +51,11 @@ func GetPolicy(bytes []byte) (policies []kyvernov1.PolicyInterface, validatingAd
return policies, validatingAdmissionPolicies, validatingAdmissionPolicyBindings, err
}
func addPolicy(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []v1alpha1.ValidatingAdmissionPolicyBinding, us *unstructured.Unstructured) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, []v1alpha1.ValidatingAdmissionPolicyBinding, error) {
func addPolicy(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, us *unstructured.Unstructured) ([]kyvernov1.PolicyInterface, []admissionregistrationv1beta1.ValidatingAdmissionPolicy, []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
kind := us.GetKind()
if strings.Compare(kind, "ValidatingAdmissionPolicy") == 0 {
validatingAdmissionPolicy := v1alpha1.ValidatingAdmissionPolicy{}
validatingAdmissionPolicy := admissionregistrationv1beta1.ValidatingAdmissionPolicy{}
if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(us.Object, &validatingAdmissionPolicy, true); err != nil {
return policies, nil, validatingAdmissionPolicyBindings, fmt.Errorf("failed to decode policy: %v", err)
@ -68,7 +68,7 @@ func addPolicy(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies
validatingAdmissionPolicies = append(validatingAdmissionPolicies, validatingAdmissionPolicy)
} else if strings.Compare(kind, "ValidatingAdmissionPolicyBinding") == 0 {
validatingAdmissionPolicyBinding := v1alpha1.ValidatingAdmissionPolicyBinding{}
validatingAdmissionPolicyBinding := admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{}
if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(us.Object, &validatingAdmissionPolicyBinding, true); err != nil {
return policies, validatingAdmissionPolicies, nil, fmt.Errorf("failed to decode policy: %v", err)

12
pkg/utils/yaml/loadpolicy_test.go
View file

@ -303,7 +303,7 @@ items:
name: "ValidatingAdmissionPolicy",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
@ -326,7 +326,7 @@ spec:
name: "ValidatingAdmissionPolicy and Policy",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
@ -380,7 +380,7 @@ spec:
name: "ValidatingAdmissionPolicy and ClusterPolicy",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
@ -433,7 +433,7 @@ spec:
name: "ValidatingAdmissionPolicyBinding",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "demo-binding-test.example.com"
@ -453,7 +453,7 @@ spec:
name: "ValidatingAdmissionPolicy and its binding",
args: args{
[]byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "demo-policy.example.com"
@ -468,7 +468,7 @@ spec:
validations:
- expression: "object.spec.replicas <= 5"
---
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: "demo-binding-test.example.com"

14
pkg/validatingadmissionpolicy/api.go
View file

@ -4,7 +4,7 @@ import (
"context"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@ -14,23 +14,23 @@ import (
// Everything someone might need to validate a single ValidatingPolicyDefinition
// against all of its registered bindings.
type PolicyData struct {
definition v1alpha1.ValidatingAdmissionPolicy
bindings []v1alpha1.ValidatingAdmissionPolicyBinding
definition admissionregistrationv1beta1.ValidatingAdmissionPolicy
bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
}
func (p *PolicyData) AddBinding(binding v1alpha1.ValidatingAdmissionPolicyBinding) {
func (p *PolicyData) AddBinding(binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
p.bindings = append(p.bindings, binding)
}
func (p *PolicyData) GetDefinition() v1alpha1.ValidatingAdmissionPolicy {
func (p *PolicyData) GetDefinition() admissionregistrationv1beta1.ValidatingAdmissionPolicy {
return p.definition
}
func (p *PolicyData) GetBindings() []v1alpha1.ValidatingAdmissionPolicyBinding {
func (p *PolicyData) GetBindings() []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding {
return p.bindings
}
func NewPolicyData(policy v1alpha1.ValidatingAdmissionPolicy) PolicyData {
func NewPolicyData(policy admissionregistrationv1beta1.ValidatingAdmissionPolicy) PolicyData {
return PolicyData{
definition: policy,
}

46
pkg/validatingadmissionpolicy/builder.go
View file

@ -10,14 +10,14 @@ import (
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// BuildValidatingAdmissionPolicy is used to build a Kubernetes ValidatingAdmissionPolicy from a Kyverno policy
func BuildValidatingAdmissionPolicy(
discoveryClient dclient.IDiscovery,
vap *admissionregistrationv1alpha1.ValidatingAdmissionPolicy,
vap *admissionregistrationv1beta1.ValidatingAdmissionPolicy,
cpol kyvernov1.PolicyInterface,
exceptions []kyvernov2.PolicyException,
) error {
@ -32,8 +32,8 @@ func BuildValidatingAdmissionPolicy(
}
// construct the rules
var matchResources admissionregistrationv1alpha1.MatchResources
var matchRules, excludeRules []admissionregistrationv1alpha1.NamedRuleWithOperations
var matchResources admissionregistrationv1beta1.MatchResources
var matchRules, excludeRules []admissionregistrationv1beta1.NamedRuleWithOperations
rule := cpol.GetSpec().Rules[0]
@ -92,7 +92,7 @@ func BuildValidatingAdmissionPolicy(
}
// set policy spec
vap.Spec = admissionregistrationv1alpha1.ValidatingAdmissionPolicySpec{
vap.Spec = admissionregistrationv1beta1.ValidatingAdmissionPolicySpec{
MatchConstraints: &matchResources,
ParamKind: rule.Validation.CEL.ParamKind,
Variables: rule.Validation.CEL.Variables,
@ -108,7 +108,7 @@ func BuildValidatingAdmissionPolicy(
// BuildValidatingAdmissionPolicyBinding is used to build a Kubernetes ValidatingAdmissionPolicyBinding from a Kyverno policy
func BuildValidatingAdmissionPolicyBinding(
vapbinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding,
vapbinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
cpol kyvernov1.PolicyInterface,
) error {
// set owner reference
@ -122,28 +122,28 @@ func BuildValidatingAdmissionPolicyBinding(
}
// set validation action for vap binding
var validationActions []admissionregistrationv1alpha1.ValidationAction
var validationActions []admissionregistrationv1beta1.ValidationAction
validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
if validateAction != nil {
if validateAction.Enforce() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
validationActions = append(validationActions, admissionregistrationv1beta1.Deny)
} else if validateAction.Audit() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Audit)
validationActions = append(validationActions, admissionregistrationv1alpha1.Warn)
validationActions = append(validationActions, admissionregistrationv1beta1.Audit)
validationActions = append(validationActions, admissionregistrationv1beta1.Warn)
}
} else {
validateAction := cpol.GetSpec().ValidationFailureAction
if validateAction.Enforce() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
validationActions = append(validationActions, admissionregistrationv1beta1.Deny)
} else if validateAction.Audit() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Audit)
validationActions = append(validationActions, admissionregistrationv1alpha1.Warn)
validationActions = append(validationActions, admissionregistrationv1beta1.Audit)
validationActions = append(validationActions, admissionregistrationv1beta1.Warn)
}
}
// set validating admission policy binding spec
rule := cpol.GetSpec().Rules[0]
vapbinding.Spec = admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{
vapbinding.Spec = admissionregistrationv1beta1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: cpol.GetName(),
ParamRef: rule.Validation.CEL.ParamRef,
ValidationActions: validationActions,
@ -155,8 +155,8 @@ func BuildValidatingAdmissionPolicyBinding(
}
func translateResourceFilters(discoveryClient dclient.IDiscovery,
matchResources *admissionregistrationv1alpha1.MatchResources,
rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations,
matchResources *admissionregistrationv1beta1.MatchResources,
rules *[]admissionregistrationv1beta1.NamedRuleWithOperations,
resFilters kyvernov1.ResourceFilters,
isMatch bool,
) error {
@ -171,8 +171,8 @@ func translateResourceFilters(discoveryClient dclient.IDiscovery,
func translateResource(
discoveryClient dclient.IDiscovery,
matchResources *admissionregistrationv1alpha1.MatchResources,
rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations,
matchResources *admissionregistrationv1beta1.MatchResources,
rules *[]admissionregistrationv1beta1.NamedRuleWithOperations,
res kyvernov1.ResourceDescription,
isMatch bool,
) error {
@ -206,7 +206,7 @@ func translateResource(
func constructValidatingAdmissionPolicyRules(
discoveryClient dclient.IDiscovery,
rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations,
rules *[]admissionregistrationv1beta1.NamedRuleWithOperations,
res kyvernov1.ResourceDescription,
isMatch bool,
) error {
@ -226,7 +226,7 @@ func constructValidatingAdmissionPolicyRules(
// apiVersions: ["version"]
// resources: ["resource"]
for _, kind := range res.Kinds {
var r admissionregistrationv1alpha1.NamedRuleWithOperations
var r admissionregistrationv1beta1.NamedRuleWithOperations
if kind == "*" {
r = buildNamedRuleWithOperations(resourceNames, "*", "*", ops, "*")
@ -270,7 +270,7 @@ func constructValidatingAdmissionPolicyRules(
// if exclude block has namespaces but no kinds, we need to add a rule for the namespaces
if !isMatch && len(res.Namespaces) > 0 && len(res.Kinds) == 0 {
r := admissionregistrationv1alpha1.NamedRuleWithOperations{
r := admissionregistrationv1beta1.NamedRuleWithOperations{
ResourceNames: res.Namespaces,
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Rule: admissionregistrationv1.Rule{
@ -291,8 +291,8 @@ func buildNamedRuleWithOperations(
group, version string,
operations []admissionregistrationv1.OperationType,
resources ...string,
) admissionregistrationv1alpha1.NamedRuleWithOperations {
return admissionregistrationv1alpha1.NamedRuleWithOperations{
) admissionregistrationv1beta1.NamedRuleWithOperations {
return admissionregistrationv1beta1.NamedRuleWithOperations{
ResourceNames: resourceNames,
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
Rule: admissionregistrationv1.Rule{

6
pkg/validatingadmissionpolicy/matcher.go
View file

@ -1,7 +1,7 @@
package validatingadmissionpolicy
import (
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@ -14,7 +14,7 @@ import (
// - if the object selector matches the resource
// - if the resource is excluded by the policy/binding
// - if the resource matches the policy/binding rules
func matches(attr admission.Attributes, namespaceSelectorMap map[string]map[string]string, matchCriteria admissionregistrationv1alpha1.MatchResources) (bool, error) {
func matches(attr admission.Attributes, namespaceSelectorMap map[string]map[string]string, matchCriteria admissionregistrationv1beta1.MatchResources) (bool, error) {
// check if the namespace selector matches the resource namespace
if matchCriteria.NamespaceSelector != nil {
if len(matchCriteria.NamespaceSelector.MatchLabels) > 0 || len(matchCriteria.NamespaceSelector.MatchExpressions) > 0 {
@ -66,7 +66,7 @@ func matches(attr admission.Attributes, namespaceSelectorMap map[string]map[stri
return true, nil
}
func matchesResourceRules(resourceRules []admissionregistrationv1alpha1.NamedRuleWithOperations, attr admission.Attributes) bool {
func matchesResourceRules(resourceRules []admissionregistrationv1beta1.NamedRuleWithOperations, attr admission.Attributes) bool {
for _, r := range resourceRules {
ruleMatcher := rules.Matcher{
Rule: r.RuleWithOperations,

6
pkg/validatingadmissionpolicy/utils.go
View file

@ -19,20 +19,20 @@ func hasPermissions(resource schema.GroupVersionResource, s checker.AuthChecker)
// HasValidatingAdmissionPolicyPermission check if the admission controller has the required permissions to generate
// Kubernetes ValidatingAdmissionPolicy
func HasValidatingAdmissionPolicyPermission(s checker.AuthChecker) bool {
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Resource: "validatingadmissionpolicies"}
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1beta1", Resource: "validatingadmissionpolicies"}
return hasPermissions(gvr, s)
}
// HasValidatingAdmissionPolicyBindingPermission check if the admission controller has the required permissions to generate
// Kubernetes ValidatingAdmissionPolicyBinding
func HasValidatingAdmissionPolicyBindingPermission(s checker.AuthChecker) bool {
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Resource: "validatingadmissionpolicybindings"}
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1beta1", Resource: "validatingadmissionpolicybindings"}
return hasPermissions(gvr, s)
}
// IsValidatingAdmissionPolicyRegistered checks if ValidatingAdmissionPolicies are registered in the API Server
func IsValidatingAdmissionPolicyRegistered(kubeClient kubernetes.Interface) (bool, error) {
groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"}
if _, err := kubeClient.Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
return false, err
}

14
pkg/validatingadmissionpolicy/validate.go
View file

@ -14,7 +14,7 @@ import (
"golang.org/x/text/cases"
"golang.org/x/text/language"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -29,7 +29,7 @@ import (
celconfig "k8s.io/apiserver/pkg/apis/cel"
)
func GetKinds(policy v1alpha1.ValidatingAdmissionPolicy) []string {
func GetKinds(policy admissionregistrationv1beta1.ValidatingAdmissionPolicy) []string {
var kindList []string
matchResources := policy.Spec.MatchConstraints
@ -120,7 +120,7 @@ func Validate(
nsLister := NewCustomNamespaceLister(client)
matcher := generic.NewPolicyMatcher(matching.NewMatcher(nsLister, client.GetKubeClient()))
// convert policy from v1alpha1 to v1
// convert policy from v1beta1 to v1
v1policy := ConvertValidatingAdmissionPolicy(policy)
// construct admission attributes
@ -179,8 +179,8 @@ func Validate(
}
func validateResource(
policy v1alpha1.ValidatingAdmissionPolicy,
binding *v1alpha1.ValidatingAdmissionPolicyBinding,
policy admissionregistrationv1beta1.ValidatingAdmissionPolicy,
binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
resource unstructured.Unstructured,
namespace corev1.Namespace,
a admission.Attributes,
@ -208,9 +208,9 @@ func validateResource(
failPolicy = admissionregistrationv1.FailurePolicyType(*policy.Spec.FailurePolicy)
}
var matchPolicy v1alpha1.MatchPolicyType
var matchPolicy admissionregistrationv1beta1.MatchPolicyType
if policy.Spec.MatchConstraints.MatchPolicy == nil {
matchPolicy = v1alpha1.Equivalent
matchPolicy = admissionregistrationv1beta1.Equivalent
} else {
matchPolicy = *policy.Spec.MatchConstraints.MatchPolicy
}

10
pkg/validatingadmissionpolicy/validate_test.go
View file

@ -18,7 +18,7 @@ func TestGetKinds(t *testing.T) {
{
name: "Matching pods",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-1"
@ -38,7 +38,7 @@ spec:
{
name: "Matching deployments, replicasets, daemonsets and statefulsets",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-2"
@ -58,7 +58,7 @@ spec:
{
name: "Matching deployments/scale",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-3"
@ -78,7 +78,7 @@ spec:
{
name: "Matching jobs and cronjobs",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-4"
@ -98,7 +98,7 @@ spec:
{
name: "Multiple resource rules",
policy: []byte(`
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "policy-5"

164
pkg/validatingadmissionpolicy/version_converter.go
View file

@ -2,71 +2,71 @@ package validatingadmissionpolicy
import (
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// ConvertValidatingAdmissionPolicy is used to convert v1alpha1 of ValidatingAdmissionPolicy to v1
func ConvertValidatingAdmissionPolicy(v1alpha1policy admissionregistrationv1alpha1.ValidatingAdmissionPolicy) admissionregistrationv1.ValidatingAdmissionPolicy {
// ConvertValidatingAdmissionPolicy is used to convert v1beta1 of ValidatingAdmissionPolicy to v1
func ConvertValidatingAdmissionPolicy(v1beta1policy admissionregistrationv1beta1.ValidatingAdmissionPolicy) admissionregistrationv1.ValidatingAdmissionPolicy {
var namespaceSelector, objectSelector metav1.LabelSelector
if v1alpha1policy.Spec.MatchConstraints.NamespaceSelector != nil {
namespaceSelector = *v1alpha1policy.Spec.MatchConstraints.NamespaceSelector
if v1beta1policy.Spec.MatchConstraints.NamespaceSelector != nil {
namespaceSelector = *v1beta1policy.Spec.MatchConstraints.NamespaceSelector
}
if v1alpha1policy.Spec.MatchConstraints.ObjectSelector != nil {
objectSelector = *v1alpha1policy.Spec.MatchConstraints.ObjectSelector
if v1beta1policy.Spec.MatchConstraints.ObjectSelector != nil {
objectSelector = *v1beta1policy.Spec.MatchConstraints.ObjectSelector
}
v1beta1policy := admissionregistrationv1.ValidatingAdmissionPolicy{
v1policy := admissionregistrationv1.ValidatingAdmissionPolicy{
Spec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
FailurePolicy: (*admissionregistrationv1.FailurePolicyType)(v1alpha1policy.Spec.FailurePolicy),
ParamKind: (*admissionregistrationv1.ParamKind)(v1alpha1policy.Spec.ParamKind),
FailurePolicy: (*admissionregistrationv1.FailurePolicyType)(v1beta1policy.Spec.FailurePolicy),
ParamKind: (*admissionregistrationv1.ParamKind)(v1beta1policy.Spec.ParamKind),
MatchConstraints: &admissionregistrationv1.MatchResources{
NamespaceSelector: &namespaceSelector,
ObjectSelector: &objectSelector,
ResourceRules: convertRules(v1alpha1policy.Spec.MatchConstraints.ResourceRules),
ExcludeResourceRules: convertRules(v1alpha1policy.Spec.MatchConstraints.ExcludeResourceRules),
MatchPolicy: (*admissionregistrationv1.MatchPolicyType)(v1alpha1policy.Spec.MatchConstraints.MatchPolicy),
ResourceRules: convertRules(v1beta1policy.Spec.MatchConstraints.ResourceRules),
ExcludeResourceRules: convertRules(v1beta1policy.Spec.MatchConstraints.ExcludeResourceRules),
MatchPolicy: (*admissionregistrationv1.MatchPolicyType)(v1beta1policy.Spec.MatchConstraints.MatchPolicy),
},
Validations: convertValidations(v1alpha1policy.Spec.Validations),
AuditAnnotations: convertAuditAnnotations(v1alpha1policy.Spec.AuditAnnotations),
MatchConditions: convertMatchConditions(v1alpha1policy.Spec.MatchConditions),
Variables: convertVariables(v1alpha1policy.Spec.Variables),
Validations: convertValidations(v1beta1policy.Spec.Validations),
AuditAnnotations: convertAuditAnnotations(v1beta1policy.Spec.AuditAnnotations),
MatchConditions: convertMatchConditions(v1beta1policy.Spec.MatchConditions),
Variables: convertVariables(v1beta1policy.Spec.Variables),
},
}
return v1beta1policy
return v1policy
}
// ConvertValidatingAdmissionPolicyBinding is used to convert v1alpha1 of ValidatingAdmissionPolicyBinding to v1beta1
func ConvertValidatingAdmissionPolicyBinding(v1alpha1binding admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) admissionregistrationv1.ValidatingAdmissionPolicyBinding {
// ConvertValidatingAdmissionPolicyBinding is used to convert v1beta1 of ValidatingAdmissionPolicyBinding to v1.
func ConvertValidatingAdmissionPolicyBinding(v1beta1binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) admissionregistrationv1.ValidatingAdmissionPolicyBinding {
var namespaceSelector, objectSelector, paramSelector metav1.LabelSelector
var resourceRules, excludeResourceRules []admissionregistrationv1alpha1.NamedRuleWithOperations
var matchPolicy *admissionregistrationv1alpha1.MatchPolicyType
if v1alpha1binding.Spec.MatchResources != nil {
if v1alpha1binding.Spec.MatchResources.NamespaceSelector != nil {
namespaceSelector = *v1alpha1binding.Spec.MatchResources.NamespaceSelector
var resourceRules, excludeResourceRules []admissionregistrationv1beta1.NamedRuleWithOperations
var matchPolicy *admissionregistrationv1beta1.MatchPolicyType
if v1beta1binding.Spec.MatchResources != nil {
if v1beta1binding.Spec.MatchResources.NamespaceSelector != nil {
namespaceSelector = *v1beta1binding.Spec.MatchResources.NamespaceSelector
}
if v1alpha1binding.Spec.MatchResources.ObjectSelector != nil {
objectSelector = *v1alpha1binding.Spec.MatchResources.ObjectSelector
if v1beta1binding.Spec.MatchResources.ObjectSelector != nil {
objectSelector = *v1beta1binding.Spec.MatchResources.ObjectSelector
}
resourceRules = v1alpha1binding.Spec.MatchResources.ResourceRules
excludeResourceRules = v1alpha1binding.Spec.MatchResources.ExcludeResourceRules
matchPolicy = v1alpha1binding.Spec.MatchResources.MatchPolicy
resourceRules = v1beta1binding.Spec.MatchResources.ResourceRules
excludeResourceRules = v1beta1binding.Spec.MatchResources.ExcludeResourceRules
matchPolicy = v1beta1binding.Spec.MatchResources.MatchPolicy
}
var paramRef admissionregistrationv1.ParamRef
if v1alpha1binding.Spec.ParamRef != nil {
paramRef.Name = v1alpha1binding.Spec.ParamRef.Name
paramRef.Namespace = v1alpha1binding.Spec.ParamRef.Namespace
if v1alpha1binding.Spec.ParamRef.Selector != nil {
paramRef.Selector = v1alpha1binding.Spec.ParamRef.Selector
if v1beta1binding.Spec.ParamRef != nil {
paramRef.Name = v1beta1binding.Spec.ParamRef.Name
paramRef.Namespace = v1beta1binding.Spec.ParamRef.Namespace
if v1beta1binding.Spec.ParamRef.Selector != nil {
paramRef.Selector = v1beta1binding.Spec.ParamRef.Selector
} else {
paramRef.Selector = &paramSelector
}
paramRef.ParameterNotFoundAction = (*admissionregistrationv1.ParameterNotFoundActionType)(v1alpha1binding.Spec.ParamRef.ParameterNotFoundAction)
paramRef.ParameterNotFoundAction = (*admissionregistrationv1.ParameterNotFoundActionType)(v1beta1binding.Spec.ParamRef.ParameterNotFoundAction)
}
v1beta1binding := admissionregistrationv1.ValidatingAdmissionPolicyBinding{
v1binding := admissionregistrationv1.ValidatingAdmissionPolicyBinding{
Spec: admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
PolicyName: v1alpha1binding.Spec.PolicyName,
PolicyName: v1beta1binding.Spec.PolicyName,
ParamRef: &paramRef,
MatchResources: &admissionregistrationv1.MatchResources{
NamespaceSelector: &namespaceSelector,
@ -75,63 +75,63 @@ func ConvertValidatingAdmissionPolicyBinding(v1alpha1binding admissionregistrati
ExcludeResourceRules: convertRules(excludeResourceRules),
MatchPolicy: (*admissionregistrationv1.MatchPolicyType)(matchPolicy),
},
ValidationActions: convertValidationActions(v1alpha1binding.Spec.ValidationActions),
ValidationActions: convertValidationActions(v1beta1binding.Spec.ValidationActions),
},
}
return v1beta1binding
return v1binding
}
func convertRules(v1alpha1rules []admissionregistrationv1alpha1.NamedRuleWithOperations) []admissionregistrationv1.NamedRuleWithOperations {
v1beta1rules := make([]admissionregistrationv1.NamedRuleWithOperations, 0, len(v1alpha1rules))
for _, r := range v1alpha1rules {
v1beta1rules = append(v1beta1rules, admissionregistrationv1.NamedRuleWithOperations(r))
func convertRules(v1beta1rules []admissionregistrationv1beta1.NamedRuleWithOperations) []admissionregistrationv1.NamedRuleWithOperations {
v1rules := make([]admissionregistrationv1.NamedRuleWithOperations, 0, len(v1beta1rules))
for _, r := range v1beta1rules {
v1rules = append(v1rules, admissionregistrationv1.NamedRuleWithOperations(r))
}
return v1beta1rules
return v1rules
}
func convertValidations(v1alpha1validations []admissionregistrationv1alpha1.Validation) []admissionregistrationv1.Validation {
v1beta1validations := make([]admissionregistrationv1.Validation, 0, len(v1alpha1validations))
for _, v := range v1alpha1validations {
v1beta1validations = append(v1beta1validations, admissionregistrationv1.Validation(v))
func convertValidations(v1beta1validations []admissionregistrationv1beta1.Validation) []admissionregistrationv1.Validation {
v1validations := make([]admissionregistrationv1.Validation, 0, len(v1beta1validations))
for _, v := range v1beta1validations {
v1validations = append(v1validations, admissionregistrationv1.Validation(v))
}
return v1beta1validations
return v1validations
}
func convertAuditAnnotations(v1alpha1auditanns []admissionregistrationv1alpha1.AuditAnnotation) []admissionregistrationv1.AuditAnnotation {
v1beta1auditanns := make([]admissionregistrationv1.AuditAnnotation, 0, len(v1alpha1auditanns))
for _, a := range v1alpha1auditanns {
v1beta1auditanns = append(v1beta1auditanns, admissionregistrationv1.AuditAnnotation(a))
func convertAuditAnnotations(v1beta1auditanns []admissionregistrationv1beta1.AuditAnnotation) []admissionregistrationv1.AuditAnnotation {
v1auditanns := make([]admissionregistrationv1.AuditAnnotation, 0, len(v1beta1auditanns))
for _, a := range v1beta1auditanns {
v1auditanns = append(v1auditanns, admissionregistrationv1.AuditAnnotation(a))
}
return v1beta1auditanns
return v1auditanns
}
func convertMatchConditions(v1alpha1conditions []admissionregistrationv1alpha1.MatchCondition) []admissionregistrationv1.MatchCondition {
v1beta1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1alpha1conditions))
for _, m := range v1alpha1conditions {
v1beta1conditions = append(v1beta1conditions, admissionregistrationv1.MatchCondition(m))
}
return v1beta1conditions
}
func convertVariables(v1alpha1variables []admissionregistrationv1alpha1.Variable) []admissionregistrationv1.Variable {
v1beta1variables := make([]admissionregistrationv1.Variable, 0, len(v1alpha1variables))
for _, v := range v1alpha1variables {
v1beta1variables = append(v1beta1variables, admissionregistrationv1.Variable(v))
}
return v1beta1variables
}
func convertValidationActions(v1alpha1actions []admissionregistrationv1alpha1.ValidationAction) []admissionregistrationv1.ValidationAction {
v1beta1actions := make([]admissionregistrationv1.ValidationAction, 0, len(v1alpha1actions))
for _, a := range v1alpha1actions {
v1beta1actions = append(v1beta1actions, admissionregistrationv1.ValidationAction(a))
}
return v1beta1actions
}
func ConvertMatchConditionsV1(v1alpha1conditions []admissionregistrationv1alpha1.MatchCondition) []admissionregistrationv1.MatchCondition {
v1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1alpha1conditions))
for _, m := range v1alpha1conditions {
func convertMatchConditions(v1beta1conditions []admissionregistrationv1beta1.MatchCondition) []admissionregistrationv1.MatchCondition {
v1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1beta1conditions))
for _, m := range v1beta1conditions {
v1conditions = append(v1conditions, admissionregistrationv1.MatchCondition(m))
}
return v1conditions
}
func convertVariables(v1beta1variables []admissionregistrationv1beta1.Variable) []admissionregistrationv1.Variable {
v1variables := make([]admissionregistrationv1.Variable, 0, len(v1beta1variables))
for _, v := range v1beta1variables {
v1variables = append(v1variables, admissionregistrationv1.Variable(v))
}
return v1variables
}
func convertValidationActions(v1beta1actions []admissionregistrationv1beta1.ValidationAction) []admissionregistrationv1.ValidationAction {
v1actions := make([]admissionregistrationv1.ValidationAction, 0, len(v1beta1actions))
for _, a := range v1beta1actions {
v1actions = append(v1actions, admissionregistrationv1.ValidationAction(a))
}
return v1actions
}
func ConvertMatchConditionsV1(v1beta1conditions []admissionregistrationv1beta1.MatchCondition) []admissionregistrationv1.MatchCondition {
v1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1beta1conditions))
for _, m := range v1beta1conditions {
v1conditions = append(v1conditions, admissionregistrationv1.MatchCondition(m))
}
return v1conditions

4
pkg/validation/policy/validate.go
View file

@ -30,7 +30,7 @@ import (
datautils "github.com/kyverno/kyverno/pkg/utils/data"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
vaputils "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
@ -470,7 +470,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
}
// build Kubernetes ValidatingAdmissionPolicy
vap := &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
vap := &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: policy.GetName(),
},

40
scripts/config/kind/vap-v1alpha1.yaml
View file

@ -1,40 +0,0 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
ValidatingAdmissionPolicy: true
runtimeConfig:
admissionregistration.k8s.io/v1alpha1: true
kubeadmConfigPatches:
- |-
kind: ClusterConfiguration
controllerManager:
extraArgs:
bind-address: 0.0.0.0
etcd:
local:
extraArgs:
listen-metrics-urls: http://0.0.0.0:2382
scheduler:
extraArgs:
bind-address: 0.0.0.0
- |-
kind: KubeProxyConfiguration
metricsBindAddress: 0.0.0.0
nodes:
- role: control-plane
kubeadmConfigPatches:
- |-
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- role: worker
- role: worker
- role: worker

1
scripts/config/kind/vap-v1beta1.yaml
View file

@ -4,7 +4,6 @@ featureGates:
ValidatingAdmissionPolicy: true
runtimeConfig:
admissionregistration.k8s.io/v1beta1: true
admissionregistration.k8s.io/v1alpha1: true
kubeadmConfigPatches:
- |-
kind: ClusterConfiguration

2
test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "chech-deployment-labels"

2
test/cli/test-validating-admission-policy/check-deployments-replica/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "chech-deployment-replicas"

2
test/cli/test-validating-admission-policy/disallow-host-path/policy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "disallow-host-path"

2
test/cli/test-validating-admission-policy/with-match-conditions/disallow-host-path.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "disallow-host-path"

2
test/cli/test/validating-admission-policies/disallow-host-path/disallow-host-path.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: disallow-host-path

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-all-match-resource/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-namespace-selector/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource-match-with-object-selector/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-resource/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-multiple-resources/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resource/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-resource-in-specific-namespace/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception-excluding-namespaces/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-an-exception/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-with-two-exceptions/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-by-names-with-wildcard/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
labels:

2
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml
View file

@ -1,4 +1,4 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:

Some files were not shown because too many files have changed in this diff Show more