mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
chore: remove v1alpha1 of VAPs and use v1beta1 (#10955)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
e00596a551
commit
bde90340a6
140 changed files with 1201 additions and 1055 deletions
142
.github/workflows/conformance.yaml
vendored
142
.github/workflows/conformance.yaml
vendored
|
@ -170,75 +170,6 @@ jobs:
|
|||
if: failure()
|
||||
uses: ./.github/actions/kyverno-logs
|
||||
|
||||
validatingadmissionpolicies-v1alpha1:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
packages: read
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
config:
|
||||
- name: validating-admission-policies
|
||||
values:
|
||||
- standard
|
||||
- generate-validating-admission-policy
|
||||
k8s-version:
|
||||
- name: v1.27
|
||||
version: v1.27.13
|
||||
tests:
|
||||
- generate-validating-admission-policy
|
||||
needs: prepare-images
|
||||
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
# install tools
|
||||
- name: Install helm
|
||||
id: helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
|
||||
# create cluster
|
||||
- name: Create kind cluster
|
||||
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
|
||||
with:
|
||||
node_image: kindest/node:${{ matrix.k8s-version.version }}
|
||||
cluster_name: kind
|
||||
config: ./scripts/config/kind/vap-v1alpha1.yaml
|
||||
# deploy kyverno
|
||||
- name: Download kyverno images archive
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: kyverno.tar
|
||||
- name: Load kyverno images archive in kind cluster
|
||||
shell: bash
|
||||
run: |
|
||||
set -e
|
||||
kind load image-archive kyverno.tar --name kind
|
||||
- name: Install kyverno
|
||||
shell: bash
|
||||
run: |
|
||||
set -e
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
|
||||
make kind-install-kyverno
|
||||
- name: Wait for kyverno ready
|
||||
uses: ./.github/actions/kyverno-wait-ready
|
||||
# run tests
|
||||
- name: Test with Chainsaw
|
||||
shell: bash
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
set -e
|
||||
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
|
||||
# debug
|
||||
- name: Debug failure
|
||||
if: failure()
|
||||
uses: ./.github/actions/kyverno-logs
|
||||
|
||||
k8s-version-specific-tests-above-1-28:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
|
@ -313,75 +244,6 @@ jobs:
|
|||
if: failure()
|
||||
uses: ./.github/actions/kyverno-logs
|
||||
|
||||
validatingadmissionpolicies-reports-v1alpha1:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
packages: read
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
config:
|
||||
- name: validating-admission-policy-reports
|
||||
values:
|
||||
- standard
|
||||
- validating-admission-policy-reports
|
||||
k8s-version:
|
||||
- name: v1.27
|
||||
version: v1.27.13
|
||||
tests:
|
||||
- validating-admission-policy-reports
|
||||
needs: prepare-images
|
||||
name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||
# install tools
|
||||
- name: Install helm
|
||||
id: helm
|
||||
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8
|
||||
# create cluster
|
||||
- name: Create kind cluster
|
||||
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
|
||||
with:
|
||||
node_image: kindest/node:${{ matrix.k8s-version.version }}
|
||||
cluster_name: kind
|
||||
config: ./scripts/config/kind/vap-v1alpha1.yaml
|
||||
# deploy kyverno
|
||||
- name: Download kyverno images archive
|
||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||
with:
|
||||
name: kyverno.tar
|
||||
- name: Load kyverno images archive in kind cluster
|
||||
shell: bash
|
||||
run: |
|
||||
set -e
|
||||
kind load image-archive kyverno.tar --name kind
|
||||
- name: Install kyverno
|
||||
shell: bash
|
||||
run: |
|
||||
set -e
|
||||
export HELM=${{ steps.helm.outputs.helm-path }}
|
||||
export USE_CONFIG=${{ join(matrix.config.values, ',') }}
|
||||
make kind-install-kyverno
|
||||
- name: Wait for kyverno ready
|
||||
uses: ./.github/actions/kyverno-wait-ready
|
||||
# run tests
|
||||
- name: Test with Chainsaw
|
||||
shell: bash
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
set -e
|
||||
cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml
|
||||
# debug
|
||||
- name: Debug failure
|
||||
if: failure()
|
||||
uses: ./.github/actions/kyverno-logs
|
||||
|
||||
validatingadmissionpolicies-reports-v1beta1:
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
|
@ -1004,9 +866,7 @@ jobs:
|
|||
- standard
|
||||
- ttl
|
||||
- force-failure-policy-ignore
|
||||
- validatingadmissionpolicies-v1alpha1
|
||||
- k8s-version-specific-tests-above-1-28
|
||||
- validatingadmissionpolicies-reports-v1alpha1
|
||||
- validatingadmissionpolicies-reports-v1beta1
|
||||
- custom-sigstore
|
||||
- default
|
||||
|
@ -1023,9 +883,7 @@ jobs:
|
|||
- standard
|
||||
- ttl
|
||||
- force-failure-policy-ignore
|
||||
- validatingadmissionpolicies-v1alpha1
|
||||
- k8s-version-specific-tests-above-1-28
|
||||
- validatingadmissionpolicies-reports-v1alpha1
|
||||
- validatingadmissionpolicies-reports-v1beta1
|
||||
- custom-sigstore
|
||||
- default
|
||||
|
|
|
@ -11,7 +11,7 @@ import (
|
|||
"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
@ -569,36 +569,36 @@ func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList
|
|||
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
|
||||
type CEL struct {
|
||||
// Expressions is a list of CELExpression types.
|
||||
Expressions []v1alpha1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`
|
||||
Expressions []admissionregistrationv1beta1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`
|
||||
|
||||
// ParamKind is a tuple of Group Kind and Version.
|
||||
// +optional
|
||||
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`
|
||||
ParamKind *admissionregistrationv1beta1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`
|
||||
|
||||
// ParamRef references a parameter resource.
|
||||
// +optional
|
||||
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`
|
||||
ParamRef *admissionregistrationv1beta1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`
|
||||
|
||||
// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
|
||||
// +optional
|
||||
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
|
||||
AuditAnnotations []admissionregistrationv1beta1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
|
||||
|
||||
// Variables contain definitions of variables that can be used in composition of other expressions.
|
||||
// Each variable is defined as a named CEL expression.
|
||||
// The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
// +optional
|
||||
Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
|
||||
Variables []admissionregistrationv1beta1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
|
||||
}
|
||||
|
||||
func (c *CEL) HasParam() bool {
|
||||
return c.ParamKind != nil && c.ParamRef != nil
|
||||
}
|
||||
|
||||
func (c *CEL) GetParamKind() v1alpha1.ParamKind {
|
||||
func (c *CEL) GetParamKind() admissionregistrationv1beta1.ParamKind {
|
||||
return *c.ParamKind
|
||||
}
|
||||
|
||||
func (c *CEL) GetParamRef() v1alpha1.ParamRef {
|
||||
func (c *CEL) GetParamRef() admissionregistrationv1beta1.ParamRef {
|
||||
return *c.ParamRef
|
||||
}
|
||||
|
||||
|
|
|
@ -7,7 +7,7 @@ import (
|
|||
"github.com/kyverno/kyverno/ext/wildcard"
|
||||
"github.com/kyverno/kyverno/pkg/pss/utils"
|
||||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation/field"
|
||||
)
|
||||
|
@ -81,7 +81,7 @@ type Rule struct {
|
|||
// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
|
||||
// set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
// +optional
|
||||
CELPreconditions []admissionregistrationv1alpha1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
|
||||
CELPreconditions []admissionregistrationv1beta1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
|
||||
|
||||
// Mutation is used to modify matching resources.
|
||||
// +optional
|
||||
|
|
|
@ -24,7 +24,7 @@ package v1
|
|||
import (
|
||||
k8smanifest "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
|
||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
v1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
@ -218,29 +218,29 @@ func (in *CEL) DeepCopyInto(out *CEL) {
|
|||
*out = *in
|
||||
if in.Expressions != nil {
|
||||
in, out := &in.Expressions, &out.Expressions
|
||||
*out = make([]v1alpha1.Validation, len(*in))
|
||||
*out = make([]v1beta1.Validation, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.ParamKind != nil {
|
||||
in, out := &in.ParamKind, &out.ParamKind
|
||||
*out = new(v1alpha1.ParamKind)
|
||||
*out = new(v1beta1.ParamKind)
|
||||
**out = **in
|
||||
}
|
||||
if in.ParamRef != nil {
|
||||
in, out := &in.ParamRef, &out.ParamRef
|
||||
*out = new(v1alpha1.ParamRef)
|
||||
*out = new(v1beta1.ParamRef)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.AuditAnnotations != nil {
|
||||
in, out := &in.AuditAnnotations, &out.AuditAnnotations
|
||||
*out = make([]v1alpha1.AuditAnnotation, len(*in))
|
||||
*out = make([]v1beta1.AuditAnnotation, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.Variables != nil {
|
||||
in, out := &in.Variables, &out.Variables
|
||||
*out = make([]v1alpha1.Variable, len(*in))
|
||||
*out = make([]v1beta1.Variable, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
return
|
||||
|
@ -1384,7 +1384,7 @@ func (in *Rule) DeepCopyInto(out *Rule) {
|
|||
}
|
||||
if in.CELPreconditions != nil {
|
||||
in, out := &in.CELPreconditions, &out.CELPreconditions
|
||||
*out = make([]v1alpha1.MatchCondition, len(*in))
|
||||
*out = make([]v1beta1.MatchCondition, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
in.Mutation.DeepCopyInto(&out.Mutation)
|
||||
|
|
|
@ -143,7 +143,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -2963,10 +2963,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -2995,7 +2999,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -3061,7 +3066,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -3078,6 +3084,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -4897,7 +4904,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7758,10 +7765,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -7790,7 +7801,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -7856,7 +7868,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7873,6 +7886,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -12272,10 +12286,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12304,7 +12322,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -12370,7 +12389,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12387,6 +12407,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -14264,7 +14285,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17125,10 +17146,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17157,7 +17182,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17223,7 +17249,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17240,6 +17267,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -144,7 +144,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -2964,10 +2964,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -2996,7 +3000,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -3062,7 +3067,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -3079,6 +3085,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -4899,7 +4906,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7760,10 +7767,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -7792,7 +7803,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -7858,7 +7870,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7875,6 +7888,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -12275,10 +12289,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12307,7 +12325,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -12373,7 +12392,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12390,6 +12410,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -14267,7 +14288,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17128,10 +17149,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17160,7 +17185,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17226,7 +17252,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17243,6 +17270,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -33,7 +33,7 @@ import (
|
|||
gitutils "github.com/kyverno/kyverno/pkg/utils/git"
|
||||
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
|
||||
"github.com/spf13/cobra"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/client-go/dynamic"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
|
@ -222,8 +222,8 @@ func (c *ApplyCommandConfig) getMutateLogPathIsDir(skipInvalidPolicies SkippedIn
|
|||
}
|
||||
|
||||
func (c *ApplyCommandConfig) applyValidatingAdmissionPolicytoResource(
|
||||
vaps []v1alpha1.ValidatingAdmissionPolicy,
|
||||
vapBindings []v1alpha1.ValidatingAdmissionPolicyBinding,
|
||||
vaps []admissionregistrationv1beta1.ValidatingAdmissionPolicy,
|
||||
vapBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
|
||||
resources []*unstructured.Unstructured,
|
||||
namespaceSelectorMap map[string]map[string]string,
|
||||
rc *processor.ResultCounts,
|
||||
|
@ -322,7 +322,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
|
|||
return &rc, resources, responses, nil
|
||||
}
|
||||
|
||||
func (c *ApplyCommandConfig) loadResources(out io.Writer, policies []kyvernov1.PolicyInterface, vap []v1alpha1.ValidatingAdmissionPolicy, dClient dclient.Interface) ([]*unstructured.Unstructured, error) {
|
||||
func (c *ApplyCommandConfig) loadResources(out io.Writer, policies []kyvernov1.PolicyInterface, vap []admissionregistrationv1beta1.ValidatingAdmissionPolicy, dClient dclient.Interface) ([]*unstructured.Unstructured, error) {
|
||||
resources, err := common.GetResourceAccordingToResourcePath(out, nil, c.ResourcePaths, c.Cluster, policies, vap, dClient, c.Namespace, c.PolicyReport, "")
|
||||
if err != nil {
|
||||
return resources, fmt.Errorf("failed to load resources (%w)", err)
|
||||
|
@ -330,11 +330,11 @@ func (c *ApplyCommandConfig) loadResources(out io.Writer, policies []kyvernov1.P
|
|||
return resources, nil
|
||||
}
|
||||
|
||||
func (c *ApplyCommandConfig) loadPolicies(skipInvalidPolicies SkippedInvalidPolicies) (*processor.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, []kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, []v1alpha1.ValidatingAdmissionPolicyBinding, error) {
|
||||
func (c *ApplyCommandConfig) loadPolicies(skipInvalidPolicies SkippedInvalidPolicies) (*processor.ResultCounts, []*unstructured.Unstructured, SkippedInvalidPolicies, []engineapi.EngineResponse, []kyvernov1.PolicyInterface, []admissionregistrationv1beta1.ValidatingAdmissionPolicy, []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
// load policies
|
||||
var policies []kyvernov1.PolicyInterface
|
||||
var vaps []v1alpha1.ValidatingAdmissionPolicy
|
||||
var vapBindings []v1alpha1.ValidatingAdmissionPolicyBinding
|
||||
var vaps []admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
var vapBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
|
||||
|
||||
for _, path := range c.PolicyPaths {
|
||||
isGit := source.IsGit(path)
|
||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: tests.cli.kyverno.io
|
||||
spec:
|
||||
group: cli.kyverno.io
|
||||
|
@ -20,10 +20,47 @@ spec:
|
|||
description: Test declares a test
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
checks:
|
||||
description: Checks are the verifications to be checked in the test
|
||||
items:
|
||||
properties:
|
||||
assert:
|
||||
description: Assert contains assertion to be performed on the relevant
|
||||
rule responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
error:
|
||||
description: Error contains negative assertion to be performed on
|
||||
the relevant rule responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
match:
|
||||
description: Match tells how to match relevant rule responses
|
||||
properties:
|
||||
policy:
|
||||
description: Policy filters engine responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
resource:
|
||||
description: Resource filters engine responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
rule:
|
||||
description: Rule filters rule responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
required:
|
||||
- assert
|
||||
- error
|
||||
type: object
|
||||
type: array
|
||||
exceptions:
|
||||
description: Policy Exceptions are the policy exceptions to be used in
|
||||
the test
|
||||
|
@ -31,15 +68,19 @@ spec:
|
|||
type: string
|
||||
type: array
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
name:
|
||||
description: Name is the name of the test. This field is deprecated, use
|
||||
`metadata.name` instead
|
||||
description: |-
|
||||
Name is the name of the test.
|
||||
This field is deprecated, use `metadata.name` instead
|
||||
type: string
|
||||
policies:
|
||||
description: Policies are the policies to be used in the test
|
||||
|
@ -57,41 +98,41 @@ spec:
|
|||
description: TestResultBase declares a test result
|
||||
properties:
|
||||
cloneSourceResource:
|
||||
description: CloneSourceResource takes the resource configuration
|
||||
file in yaml format from the user which is meant to be cloned
|
||||
by the generate rule.
|
||||
description: |-
|
||||
CloneSourceResource takes the resource configuration file in yaml format
|
||||
from the user which is meant to be cloned by the generate rule.
|
||||
type: string
|
||||
generatedResource:
|
||||
description: GeneratedResource takes a resource configuration file
|
||||
in yaml format from the user to compare it against the Kyverno
|
||||
generated resource configuration.
|
||||
description: |-
|
||||
GeneratedResource takes a resource configuration file in yaml format from
|
||||
the user to compare it against the Kyverno generated resource configuration.
|
||||
type: string
|
||||
isValidatingAdmissionPolicy:
|
||||
description: IsValidatingAdmissionPolicy indicates if the policy
|
||||
is a validating admission policy. It's required in case policy
|
||||
is a validating admission policy.
|
||||
description: |-
|
||||
IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
|
||||
It's required in case policy is a validating admission policy.
|
||||
type: boolean
|
||||
kind:
|
||||
description: Kind mentions the kind of the resource on which the
|
||||
policy is to be applied.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace mentions the namespace of the policy which
|
||||
has namespace scope. This is DEPRECATED, use a name in the form
|
||||
`<namespace>/<name>` for policies and/or resources instead.
|
||||
description: |-
|
||||
Namespace mentions the namespace of the policy which has namespace scope.
|
||||
This is DEPRECATED, use a name in the form `<namespace>/<name>` for policies and/or resources instead.
|
||||
type: string
|
||||
patchedResource:
|
||||
description: PatchedResource takes a resource configuration file
|
||||
in yaml format from the user to compare it against the Kyverno
|
||||
mutated resource configuration.
|
||||
description: |-
|
||||
PatchedResource takes a resource configuration file in yaml format from
|
||||
the user to compare it against the Kyverno mutated resource configuration.
|
||||
type: string
|
||||
policy:
|
||||
description: Policy mentions the name of the policy.
|
||||
type: string
|
||||
resource:
|
||||
description: Resource mentions the name of the resource on which
|
||||
the policy is to be applied. This is DEPRECATED, use `Resources`
|
||||
instead.
|
||||
description: |-
|
||||
Resource mentions the name of the resource on which the policy is to be applied.
|
||||
This is DEPRECATED, use `Resources` instead.
|
||||
type: string
|
||||
resources:
|
||||
description: Resources gives us the list of resources on which the
|
||||
|
@ -100,7 +141,8 @@ spec:
|
|||
type: string
|
||||
type: array
|
||||
result:
|
||||
description: Result mentions the result that the user is expecting.
|
||||
description: |-
|
||||
Result mentions the result that the user is expecting.
|
||||
Possible values are pass, fail and skip.
|
||||
enum:
|
||||
- pass
|
||||
|
@ -110,13 +152,15 @@ spec:
|
|||
- skip
|
||||
type: string
|
||||
rule:
|
||||
description: Rule mentions the name of the rule in the policy. It's
|
||||
required in case policy is a kyverno policy.
|
||||
description: |-
|
||||
Rule mentions the name of the rule in the policy.
|
||||
It's required in case policy is a kyverno policy.
|
||||
type: string
|
||||
status:
|
||||
description: Status mentions the status that the user is expecting.
|
||||
Possible values are pass, fail and skip. This is DEPRECATED, use
|
||||
`Result` instead.
|
||||
description: |-
|
||||
Status mentions the status that the user is expecting.
|
||||
Possible values are pass, fail and skip.
|
||||
This is DEPRECATED, use `Result` instead.
|
||||
enum:
|
||||
- pass
|
||||
- fail
|
||||
|
@ -223,11 +267,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For
|
||||
subresources, this may have a different value, for example:
|
||||
Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo'
|
||||
|
@ -246,36 +290,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status
|
||||
on a single item and both singular and plural are allowed
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the
|
||||
version this resource is converted to when written to
|
||||
the data store. Value must be treated as opaque by clients.
|
||||
Only equality comparison on the value is valid. This is
|
||||
an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the StorageVersionHash
|
||||
feature gate is enabled. This field will remain optional
|
||||
even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this
|
||||
includes get, list, watch, create, update, patch, delete,
|
||||
deletecollection, and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For
|
||||
subresources, this may have a different value, for example:
|
||||
v1 (while inside a v1beta1 version of the core resource''s
|
||||
group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
@ -293,11 +335,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For
|
||||
subresources, this may have a different value, for example:
|
||||
Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo'
|
||||
|
@ -316,36 +358,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status
|
||||
on a single item and both singular and plural are allowed
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the
|
||||
version this resource is converted to when written to
|
||||
the data store. Value must be treated as opaque by clients.
|
||||
Only equality comparison on the value is valid. This is
|
||||
an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the StorageVersionHash
|
||||
feature gate is enabled. This field will remain optional
|
||||
even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this
|
||||
includes get, list, watch, create, update, patch, delete,
|
||||
deletecollection, and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For
|
||||
subresources, this may have a different value, for example:
|
||||
v1 (while inside a v1beta1 version of the core resource''s
|
||||
group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: userinfoes.cli.kyverno.io
|
||||
spec:
|
||||
group: cli.kyverno.io
|
||||
|
@ -20,9 +20,11 @@ spec:
|
|||
description: UserInfo declares user infos to be loaded by the Kyverno CLI
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
clusterRoles:
|
||||
description: ClusterRoles is a list of possible clusterRoles send the
|
||||
|
@ -32,9 +34,12 @@ spec:
|
|||
nullable: true
|
||||
type: array
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
|
@ -60,10 +65,12 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
uid:
|
||||
description: A unique value that identifies this user across time.
|
||||
If this user is deleted and another user by the same name is added,
|
||||
they will have different UIDs.
|
||||
description: |-
|
||||
A unique value that identifies this user across time. If this user is
|
||||
deleted and another user by the same name is added, they will have
|
||||
different UIDs.
|
||||
type: string
|
||||
username:
|
||||
description: The name that uniquely identifies this user among all
|
||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: values.cli.kyverno.io
|
||||
spec:
|
||||
group: cli.kyverno.io
|
||||
|
@ -20,18 +20,23 @@ spec:
|
|||
description: Values declares values to be loaded by the Kyverno CLI
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
globalValues:
|
||||
description: GlobalValues are the global values
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
|
@ -116,10 +121,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For subresources,
|
||||
this may have a different value, for example: Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo' is
|
||||
|
@ -138,34 +144,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely. The
|
||||
singularName is more correct for reporting status on a single
|
||||
item and both singular and plural are allowed from the kubectl
|
||||
CLI interface.
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the version
|
||||
this resource is converted to when written to the data store.
|
||||
Value must be treated as opaque by clients. Only equality
|
||||
comparison on the value is valid. This is an alpha feature
|
||||
and may change or be removed in the future. The field is populated
|
||||
by the apiserver only if the StorageVersionHash feature gate
|
||||
is enabled. This field will remain optional even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this includes
|
||||
get, list, watch, create, update, patch, delete, deletecollection,
|
||||
and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For subresources,
|
||||
this may have a different value, for example: v1 (while inside
|
||||
a v1beta1 version of the core resource''s group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
@ -183,10 +189,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For subresources,
|
||||
this may have a different value, for example: Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo' is
|
||||
|
@ -205,34 +212,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely. The
|
||||
singularName is more correct for reporting status on a single
|
||||
item and both singular and plural are allowed from the kubectl
|
||||
CLI interface.
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the version
|
||||
this resource is converted to when written to the data store.
|
||||
Value must be treated as opaque by clients. Only equality
|
||||
comparison on the value is valid. This is an alpha feature
|
||||
and may change or be removed in the future. The field is populated
|
||||
by the apiserver only if the StorageVersionHash feature gate
|
||||
is enabled. This field will remain optional even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this includes
|
||||
get, list, watch, create, update, patch, delete, deletecollection,
|
||||
and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For subresources,
|
||||
this may have a different value, for example: v1 (while inside
|
||||
a v1beta1 version of the core resource''s group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: tests.cli.kyverno.io
|
||||
spec:
|
||||
group: cli.kyverno.io
|
||||
|
@ -20,10 +20,47 @@ spec:
|
|||
description: Test declares a test
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
checks:
|
||||
description: Checks are the verifications to be checked in the test
|
||||
items:
|
||||
properties:
|
||||
assert:
|
||||
description: Assert contains assertion to be performed on the relevant
|
||||
rule responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
error:
|
||||
description: Error contains negative assertion to be performed on
|
||||
the relevant rule responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
match:
|
||||
description: Match tells how to match relevant rule responses
|
||||
properties:
|
||||
policy:
|
||||
description: Policy filters engine responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
resource:
|
||||
description: Resource filters engine responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
rule:
|
||||
description: Rule filters rule responses
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
required:
|
||||
- assert
|
||||
- error
|
||||
type: object
|
||||
type: array
|
||||
exceptions:
|
||||
description: Policy Exceptions are the policy exceptions to be used in
|
||||
the test
|
||||
|
@ -31,15 +68,19 @@ spec:
|
|||
type: string
|
||||
type: array
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
name:
|
||||
description: Name is the name of the test. This field is deprecated, use
|
||||
`metadata.name` instead
|
||||
description: |-
|
||||
Name is the name of the test.
|
||||
This field is deprecated, use `metadata.name` instead
|
||||
type: string
|
||||
policies:
|
||||
description: Policies are the policies to be used in the test
|
||||
|
@ -57,41 +98,41 @@ spec:
|
|||
description: TestResultBase declares a test result
|
||||
properties:
|
||||
cloneSourceResource:
|
||||
description: CloneSourceResource takes the resource configuration
|
||||
file in yaml format from the user which is meant to be cloned
|
||||
by the generate rule.
|
||||
description: |-
|
||||
CloneSourceResource takes the resource configuration file in yaml format
|
||||
from the user which is meant to be cloned by the generate rule.
|
||||
type: string
|
||||
generatedResource:
|
||||
description: GeneratedResource takes a resource configuration file
|
||||
in yaml format from the user to compare it against the Kyverno
|
||||
generated resource configuration.
|
||||
description: |-
|
||||
GeneratedResource takes a resource configuration file in yaml format from
|
||||
the user to compare it against the Kyverno generated resource configuration.
|
||||
type: string
|
||||
isValidatingAdmissionPolicy:
|
||||
description: IsValidatingAdmissionPolicy indicates if the policy
|
||||
is a validating admission policy. It's required in case policy
|
||||
is a validating admission policy.
|
||||
description: |-
|
||||
IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
|
||||
It's required in case policy is a validating admission policy.
|
||||
type: boolean
|
||||
kind:
|
||||
description: Kind mentions the kind of the resource on which the
|
||||
policy is to be applied.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace mentions the namespace of the policy which
|
||||
has namespace scope. This is DEPRECATED, use a name in the form
|
||||
`<namespace>/<name>` for policies and/or resources instead.
|
||||
description: |-
|
||||
Namespace mentions the namespace of the policy which has namespace scope.
|
||||
This is DEPRECATED, use a name in the form `<namespace>/<name>` for policies and/or resources instead.
|
||||
type: string
|
||||
patchedResource:
|
||||
description: PatchedResource takes a resource configuration file
|
||||
in yaml format from the user to compare it against the Kyverno
|
||||
mutated resource configuration.
|
||||
description: |-
|
||||
PatchedResource takes a resource configuration file in yaml format from
|
||||
the user to compare it against the Kyverno mutated resource configuration.
|
||||
type: string
|
||||
policy:
|
||||
description: Policy mentions the name of the policy.
|
||||
type: string
|
||||
resource:
|
||||
description: Resource mentions the name of the resource on which
|
||||
the policy is to be applied. This is DEPRECATED, use `Resources`
|
||||
instead.
|
||||
description: |-
|
||||
Resource mentions the name of the resource on which the policy is to be applied.
|
||||
This is DEPRECATED, use `Resources` instead.
|
||||
type: string
|
||||
resources:
|
||||
description: Resources gives us the list of resources on which the
|
||||
|
@ -100,7 +141,8 @@ spec:
|
|||
type: string
|
||||
type: array
|
||||
result:
|
||||
description: Result mentions the result that the user is expecting.
|
||||
description: |-
|
||||
Result mentions the result that the user is expecting.
|
||||
Possible values are pass, fail and skip.
|
||||
enum:
|
||||
- pass
|
||||
|
@ -110,13 +152,15 @@ spec:
|
|||
- skip
|
||||
type: string
|
||||
rule:
|
||||
description: Rule mentions the name of the rule in the policy. It's
|
||||
required in case policy is a kyverno policy.
|
||||
description: |-
|
||||
Rule mentions the name of the rule in the policy.
|
||||
It's required in case policy is a kyverno policy.
|
||||
type: string
|
||||
status:
|
||||
description: Status mentions the status that the user is expecting.
|
||||
Possible values are pass, fail and skip. This is DEPRECATED, use
|
||||
`Result` instead.
|
||||
description: |-
|
||||
Status mentions the status that the user is expecting.
|
||||
Possible values are pass, fail and skip.
|
||||
This is DEPRECATED, use `Result` instead.
|
||||
enum:
|
||||
- pass
|
||||
- fail
|
||||
|
@ -223,11 +267,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For
|
||||
subresources, this may have a different value, for example:
|
||||
Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo'
|
||||
|
@ -246,36 +290,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status
|
||||
on a single item and both singular and plural are allowed
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the
|
||||
version this resource is converted to when written to
|
||||
the data store. Value must be treated as opaque by clients.
|
||||
Only equality comparison on the value is valid. This is
|
||||
an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the StorageVersionHash
|
||||
feature gate is enabled. This field will remain optional
|
||||
even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this
|
||||
includes get, list, watch, create, update, patch, delete,
|
||||
deletecollection, and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For
|
||||
subresources, this may have a different value, for example:
|
||||
v1 (while inside a v1beta1 version of the core resource''s
|
||||
group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
@ -293,11 +335,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For
|
||||
subresources, this may have a different value, for example:
|
||||
Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo'
|
||||
|
@ -316,36 +358,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status
|
||||
on a single item and both singular and plural are allowed
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the
|
||||
version this resource is converted to when written to
|
||||
the data store. Value must be treated as opaque by clients.
|
||||
Only equality comparison on the value is valid. This is
|
||||
an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the StorageVersionHash
|
||||
feature gate is enabled. This field will remain optional
|
||||
even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this
|
||||
includes get, list, watch, create, update, patch, delete,
|
||||
deletecollection, and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For
|
||||
subresources, this may have a different value, for example:
|
||||
v1 (while inside a v1beta1 version of the core resource''s
|
||||
group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: userinfoes.cli.kyverno.io
|
||||
spec:
|
||||
group: cli.kyverno.io
|
||||
|
@ -20,9 +20,11 @@ spec:
|
|||
description: UserInfo declares user infos to be loaded by the Kyverno CLI
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
clusterRoles:
|
||||
description: ClusterRoles is a list of possible clusterRoles send the
|
||||
|
@ -32,9 +34,12 @@ spec:
|
|||
nullable: true
|
||||
type: array
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
|
@ -60,10 +65,12 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
uid:
|
||||
description: A unique value that identifies this user across time.
|
||||
If this user is deleted and another user by the same name is added,
|
||||
they will have different UIDs.
|
||||
description: |-
|
||||
A unique value that identifies this user across time. If this user is
|
||||
deleted and another user by the same name is added, they will have
|
||||
different UIDs.
|
||||
type: string
|
||||
username:
|
||||
description: The name that uniquely identifies this user among all
|
||||
|
|
|
@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.0
|
||||
controller-gen.kubebuilder.io/version: v0.15.0
|
||||
name: values.cli.kyverno.io
|
||||
spec:
|
||||
group: cli.kyverno.io
|
||||
|
@ -20,18 +20,23 @@ spec:
|
|||
description: Values declares values to be loaded by the Kyverno CLI
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
of an object. Servers should convert recognized schemas to the latest
|
||||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||||
description: |-
|
||||
APIVersion defines the versioned schema of this representation of an object.
|
||||
Servers should convert recognized schemas to the latest internal value, and
|
||||
may reject unrecognized values.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
||||
type: string
|
||||
globalValues:
|
||||
description: GlobalValues are the global values
|
||||
type: object
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
kind:
|
||||
description: 'Kind is a string value representing the REST resource this
|
||||
object represents. Servers may infer this from the endpoint the client
|
||||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||||
description: |-
|
||||
Kind is a string value representing the REST resource this object represents.
|
||||
Servers may infer this from the endpoint the client submits requests to.
|
||||
Cannot be updated.
|
||||
In CamelCase.
|
||||
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
||||
type: string
|
||||
metadata:
|
||||
type: object
|
||||
|
@ -116,10 +121,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For subresources,
|
||||
this may have a different value, for example: Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo' is
|
||||
|
@ -138,34 +144,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely. The
|
||||
singularName is more correct for reporting status on a single
|
||||
item and both singular and plural are allowed from the kubectl
|
||||
CLI interface.
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the version
|
||||
this resource is converted to when written to the data store.
|
||||
Value must be treated as opaque by clients. Only equality
|
||||
comparison on the value is valid. This is an alpha feature
|
||||
and may change or be removed in the future. The field is populated
|
||||
by the apiserver only if the StorageVersionHash feature gate
|
||||
is enabled. This field will remain optional even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this includes
|
||||
get, list, watch, create, update, patch, delete, deletecollection,
|
||||
and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For subresources,
|
||||
this may have a different value, for example: v1 (while inside
|
||||
a v1beta1 version of the core resource''s group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
@ -183,10 +189,11 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
group:
|
||||
description: 'group is the preferred group of the resource. Empty
|
||||
implies the group of the containing resource list. For subresources,
|
||||
this may have a different value, for example: Scale".'
|
||||
description: |-
|
||||
group is the preferred group of the resource. Empty implies the group of the containing resource list.
|
||||
For subresources, this may have a different value, for example: Scale".
|
||||
type: string
|
||||
kind:
|
||||
description: kind is the kind for the resource (e.g. 'Foo' is
|
||||
|
@ -205,34 +212,34 @@ spec:
|
|||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
singularName:
|
||||
description: singularName is the singular name of the resource. This
|
||||
allows clients to handle plural and singular opaquely. The
|
||||
singularName is more correct for reporting status on a single
|
||||
item and both singular and plural are allowed from the kubectl
|
||||
CLI interface.
|
||||
description: |-
|
||||
singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely.
|
||||
The singularName is more correct for reporting status on a single item and both singular and plural are allowed
|
||||
from the kubectl CLI interface.
|
||||
type: string
|
||||
storageVersionHash:
|
||||
description: The hash value of the storage version, the version
|
||||
this resource is converted to when written to the data store.
|
||||
Value must be treated as opaque by clients. Only equality
|
||||
comparison on the value is valid. This is an alpha feature
|
||||
and may change or be removed in the future. The field is populated
|
||||
by the apiserver only if the StorageVersionHash feature gate
|
||||
is enabled. This field will remain optional even if it graduates.
|
||||
description: |-
|
||||
The hash value of the storage version, the version this resource is
|
||||
converted to when written to the data store. Value must be treated
|
||||
as opaque by clients. Only equality comparison on the value is valid.
|
||||
This is an alpha feature and may change or be removed in the future.
|
||||
The field is populated by the apiserver only if the
|
||||
StorageVersionHash feature gate is enabled.
|
||||
This field will remain optional even if it graduates.
|
||||
type: string
|
||||
verbs:
|
||||
description: verbs is a list of supported kube verbs (this includes
|
||||
get, list, watch, create, update, patch, delete, deletecollection,
|
||||
and proxy)
|
||||
description: |-
|
||||
verbs is a list of supported kube verbs (this includes get, list, watch, create,
|
||||
update, patch, delete, deletecollection, and proxy)
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
version:
|
||||
description: 'version is the preferred version of the resource. Empty
|
||||
implies the version of the containing resource list For subresources,
|
||||
this may have a different value, for example: v1 (while inside
|
||||
a v1beta1 version of the core resource''s group)".'
|
||||
description: |-
|
||||
version is the preferred version of the resource. Empty implies the version of the containing resource list
|
||||
For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".
|
||||
type: string
|
||||
required:
|
||||
- kind
|
||||
|
|
|
@ -137,7 +137,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -2957,10 +2957,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -2989,7 +2993,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -3055,7 +3060,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -3072,6 +3078,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -4891,7 +4898,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7752,10 +7759,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -7784,7 +7795,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -7850,7 +7862,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7867,6 +7880,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -12266,10 +12280,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12298,7 +12316,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -12364,7 +12383,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12381,6 +12401,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -14258,7 +14279,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17119,10 +17140,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17151,7 +17176,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17217,7 +17243,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17234,6 +17261,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -138,7 +138,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -2958,10 +2958,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -2990,7 +2994,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -3056,7 +3061,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -3073,6 +3079,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -4893,7 +4900,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7754,10 +7761,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -7786,7 +7797,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -7852,7 +7864,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7869,6 +7882,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -12269,10 +12283,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12301,7 +12319,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -12367,7 +12386,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12384,6 +12404,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -14261,7 +14282,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17122,10 +17143,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17154,7 +17179,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17220,7 +17246,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17237,6 +17264,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -21,7 +21,6 @@ import (
|
|||
extyaml "github.com/kyverno/kyverno/ext/yaml"
|
||||
"github.com/kyverno/kyverno/pkg/utils/git"
|
||||
"github.com/pkg/errors"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
"k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"sigs.k8s.io/kubectl-validate/pkg/openapiclient"
|
||||
|
@ -32,9 +31,7 @@ var (
|
|||
policyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("Policy")
|
||||
clusterPolicyV1 = schema.GroupVersion(kyvernov1.GroupVersion).WithKind("ClusterPolicy")
|
||||
clusterPolicyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("ClusterPolicy")
|
||||
vapV1alpha1 = v1alpha1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
|
||||
vapV1Beta1 = v1beta1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
|
||||
vapBindingV1alpha1 = v1alpha1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
|
||||
vapBindingV1beta1 = v1beta1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicyBinding")
|
||||
LegacyLoader = legacyLoader
|
||||
KubectlValidateLoader = kubectlValidateLoader
|
||||
|
@ -54,8 +51,8 @@ type LoaderError struct {
|
|||
|
||||
type LoaderResults struct {
|
||||
Policies []kyvernov1.PolicyInterface
|
||||
VAPs []v1alpha1.ValidatingAdmissionPolicy
|
||||
VAPBindings []v1alpha1.ValidatingAdmissionPolicyBinding
|
||||
VAPs []v1beta1.ValidatingAdmissionPolicy
|
||||
VAPBindings []v1beta1.ValidatingAdmissionPolicyBinding
|
||||
NonFatalErrors []LoaderError
|
||||
}
|
||||
|
||||
|
@ -159,14 +156,14 @@ func kubectlValidateLoader(path string, content []byte) (*LoaderResults, error)
|
|||
return nil, err
|
||||
}
|
||||
results.Policies = append(results.Policies, typed)
|
||||
case vapV1alpha1, vapV1Beta1:
|
||||
typed, err := convert.To[v1alpha1.ValidatingAdmissionPolicy](untyped)
|
||||
case vapV1Beta1:
|
||||
typed, err := convert.To[v1beta1.ValidatingAdmissionPolicy](untyped)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
results.VAPs = append(results.VAPs, *typed)
|
||||
case vapBindingV1alpha1, vapBindingV1beta1:
|
||||
typed, err := convert.To[v1alpha1.ValidatingAdmissionPolicyBinding](untyped)
|
||||
case vapBindingV1beta1:
|
||||
typed, err := convert.To[v1beta1.ValidatingAdmissionPolicyBinding](untyped)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -6,7 +6,7 @@ import (
|
|||
"github.com/go-git/go-billy/v5"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
func TestLoad(t *testing.T) {
|
||||
|
@ -85,7 +85,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
|
|||
resourcePath string
|
||||
paths []string
|
||||
wantErr bool
|
||||
checks func(*testing.T, []kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy)
|
||||
checks func(*testing.T, []kyvernov1.PolicyInterface, []admissionregistrationv1beta1.ValidatingAdmissionPolicy)
|
||||
}{{
|
||||
name: "cpol-limit-configmap-for-sa",
|
||||
fs: nil,
|
||||
|
@ -104,7 +104,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
|
|||
resourcePath: "",
|
||||
paths: []string{"../_testdata/policies/check-image.yaml"},
|
||||
wantErr: false,
|
||||
checks: func(t *testing.T, policies []kyvernov1.PolicyInterface, vaps []v1alpha1.ValidatingAdmissionPolicy) {
|
||||
checks: func(t *testing.T, policies []kyvernov1.PolicyInterface, vaps []admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
assert.Len(t, policies, 1)
|
||||
policy := policies[0]
|
||||
assert.NotNil(t, policy)
|
||||
|
|
|
@ -4,13 +4,13 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
type ValidatingAdmissionPolicyProcessor struct {
|
||||
Policies []v1alpha1.ValidatingAdmissionPolicy
|
||||
Bindings []v1alpha1.ValidatingAdmissionPolicyBinding
|
||||
Policies []admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
Bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
|
||||
Resource *unstructured.Unstructured
|
||||
NamespaceSelectorMap map[string]map[string]string
|
||||
PolicyReport bool
|
||||
|
|
|
@ -16,7 +16,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
|
@ -30,7 +30,7 @@ func GetResourceAccordingToResourcePath(
|
|||
resourcePaths []string,
|
||||
cluster bool,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
validatingAdmissionPolicies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy,
|
||||
validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy,
|
||||
dClient dclient.Interface,
|
||||
namespace string,
|
||||
policyReport bool,
|
||||
|
|
|
@ -16,7 +16,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
|
@ -29,7 +29,7 @@ import (
|
|||
func GetResources(
|
||||
out io.Writer,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
validatingAdmissionPolicies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy,
|
||||
validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy,
|
||||
resourcePaths []string,
|
||||
dClient dclient.Interface,
|
||||
cluster bool,
|
||||
|
@ -250,7 +250,7 @@ func GetKindsFromRule(rule kyvernov1.Rule, client dclient.Interface) (map[schema
|
|||
return resourceTypesMap, subresourceMap
|
||||
}
|
||||
|
||||
func getKindsFromValidatingAdmissionPolicy(policy admissionregistrationv1alpha1.ValidatingAdmissionPolicy, client dclient.Interface) (map[schema.GroupVersionKind]bool, map[schema.GroupVersionKind]v1alpha1.Subresource) {
|
||||
func getKindsFromValidatingAdmissionPolicy(policy admissionregistrationv1beta1.ValidatingAdmissionPolicy, client dclient.Interface) (map[schema.GroupVersionKind]bool, map[schema.GroupVersionKind]v1alpha1.Subresource) {
|
||||
resourceTypesMap := make(map[schema.GroupVersionKind]bool)
|
||||
subresourceMap := make(map[schema.GroupVersionKind]v1alpha1.Subresource)
|
||||
|
||||
|
|
|
@ -5,13 +5,13 @@ import (
|
|||
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
type ValidatingAdmissionResources struct {
|
||||
policies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy
|
||||
policies []admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
}
|
||||
|
||||
func (r *ValidatingAdmissionResources) FetchResourcesFromPolicy(out io.Writer, resourcePaths []string, dClient dclient.Interface, namespace string, policyReport bool) ([]*unstructured.Unstructured, error) {
|
||||
|
|
|
@ -222,8 +222,8 @@ func createrLeaderControllers(
|
|||
dynamicClient.Discovery(),
|
||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||
kyvernoInformer.Kyverno().V2().PolicyExceptions(),
|
||||
kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(),
|
||||
kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings(),
|
||||
kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicies(),
|
||||
kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings(),
|
||||
eventGenerator,
|
||||
checker,
|
||||
)
|
||||
|
|
|
@ -29,7 +29,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
|
||||
kubeinformers "k8s.io/client-go/informers"
|
||||
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
|
||||
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
|
||||
kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
|
||||
)
|
||||
|
@ -68,12 +68,12 @@ func createReportControllers(
|
|||
) ([]internal.Controller, func(context.Context) error) {
|
||||
var ctrls []internal.Controller
|
||||
var warmups []func(context.Context) error
|
||||
var vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer
|
||||
var vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer
|
||||
var vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer
|
||||
var vapBindingInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyBindingInformer
|
||||
// check if validating admission policies are registered in the API server
|
||||
if validatingAdmissionPolicyReports {
|
||||
vapInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies()
|
||||
vapBindingInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings()
|
||||
vapInformer = kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicies()
|
||||
vapBindingInformer = kubeInformer.Admissionregistration().V1beta1().ValidatingAdmissionPolicyBindings()
|
||||
}
|
||||
kyvernoV1 := kyvernoInformer.Kyverno().V1()
|
||||
kyvernoV2 := kyvernoInformer.Kyverno().V2()
|
||||
|
|
|
@ -137,7 +137,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -2957,10 +2957,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -2989,7 +2993,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -3055,7 +3060,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -3072,6 +3078,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -4891,7 +4898,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7752,10 +7759,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -7784,7 +7795,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -7850,7 +7862,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7867,6 +7880,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -12266,10 +12280,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12298,7 +12316,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -12364,7 +12383,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12381,6 +12401,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -14258,7 +14279,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17119,10 +17140,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17151,7 +17176,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17217,7 +17243,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17234,6 +17261,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -138,7 +138,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -2958,10 +2958,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -2990,7 +2994,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -3056,7 +3061,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -3073,6 +3079,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -4893,7 +4900,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7754,10 +7761,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -7786,7 +7797,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -7852,7 +7864,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -7869,6 +7882,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -12269,10 +12283,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12301,7 +12319,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -12367,7 +12386,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12384,6 +12404,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -14261,7 +14282,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17122,10 +17143,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17154,7 +17179,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17220,7 +17246,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17237,6 +17264,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -5291,7 +5291,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -8111,10 +8111,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -8143,7 +8147,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -8209,7 +8214,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -8226,6 +8232,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -10045,7 +10052,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -12906,10 +12913,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -12938,7 +12949,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -13004,7 +13016,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -13021,6 +13034,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -17420,10 +17434,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -17452,7 +17470,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -17518,7 +17537,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -17535,6 +17555,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -19412,7 +19433,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -22273,10 +22294,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -22305,7 +22330,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -22371,7 +22397,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -22388,6 +22415,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -24558,7 +24586,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which must
|
||||
by fulfilled for a request to be sent to a webhook.
|
||||
be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -27378,10 +27406,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -27410,7 +27442,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -27476,7 +27509,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -27493,6 +27527,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -29313,7 +29348,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -32174,10 +32209,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -32206,7 +32245,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -32272,7 +32312,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -32289,6 +32330,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -36689,10 +36731,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -36721,7 +36767,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -36787,7 +36834,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is defined
|
||||
as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -36804,6 +36852,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
@ -38681,7 +38730,7 @@ spec:
|
|||
set of CEL conditions. It can only be used with the validate.cel subrule
|
||||
items:
|
||||
description: MatchCondition represents a condition which
|
||||
must by fulfilled for a request to be sent to a webhook.
|
||||
must be fulfilled for a request to be sent to a webhook.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -41542,10 +41591,14 @@ spec:
|
|||
properties:
|
||||
name:
|
||||
description: |-
|
||||
`name` is the name of the resource being referenced.
|
||||
name is the name of the resource being referenced.
|
||||
|
||||
`name` and `selector` are mutually exclusive properties. If one is set,
|
||||
the other must be unset.
|
||||
One of `name` or `selector` must be set, but `name` and `selector` are
|
||||
mutually exclusive properties. If one is set, the other must be unset.
|
||||
|
||||
A single parameter used for all admission requests can be configured
|
||||
by setting the `name` field, leaving `selector` blank, and setting namespace
|
||||
if `paramKind` is namespace-scoped.
|
||||
type: string
|
||||
namespace:
|
||||
description: |-
|
||||
|
@ -41574,7 +41627,8 @@ spec:
|
|||
`failurePolicy` of the policy.
|
||||
|
||||
Allowed values are `Allow` or `Deny`
|
||||
Default to `Deny`
|
||||
|
||||
Required
|
||||
type: string
|
||||
selector:
|
||||
description: |-
|
||||
|
@ -41640,7 +41694,8 @@ spec:
|
|||
The variables defined here will be available under `variables` in other expressions of the policy.
|
||||
items:
|
||||
description: Variable is the definition of a variable
|
||||
that is used for composition.
|
||||
that is used for composition. A variable is
|
||||
defined as a named expression.
|
||||
properties:
|
||||
expression:
|
||||
description: |-
|
||||
|
@ -41657,6 +41712,7 @@ spec:
|
|||
- expression
|
||||
- name
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
type: array
|
||||
type: object
|
||||
deny:
|
||||
|
|
|
@ -1001,8 +1001,8 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
<td>
|
||||
<code>expressions</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1alpha1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1alpha1.Validation
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#validation-v1beta1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1beta1.Validation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
@ -1014,8 +1014,8 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
<td>
|
||||
<code>paramKind</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramkind-v1alpha1-admissionregistration">
|
||||
Kubernetes admissionregistration/v1alpha1.ParamKind
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramkind-v1beta1-admissionregistration">
|
||||
Kubernetes admissionregistration/v1beta1.ParamKind
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
@ -1028,8 +1028,8 @@ Kubernetes admissionregistration/v1alpha1.ParamKind
|
|||
<td>
|
||||
<code>paramRef</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramref-v1alpha1-admissionregistration">
|
||||
Kubernetes admissionregistration/v1alpha1.ParamRef
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#paramref-v1beta1-admissionregistration">
|
||||
Kubernetes admissionregistration/v1beta1.ParamRef
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
@ -1042,8 +1042,8 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
|
|||
<td>
|
||||
<code>auditAnnotations</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1alpha1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1alpha1.AuditAnnotation
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#auditannotation-v1beta1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1beta1.AuditAnnotation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
@ -1056,8 +1056,8 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
|
|||
<td>
|
||||
<code>variables</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1alpha1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1alpha1.Variable
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1beta1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1beta1.Variable
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
@ -3895,8 +3895,8 @@ See: <a href="https://kyverno.io/docs/writing-policies/preconditions/">https://k
|
|||
<td>
|
||||
<code>celPreconditions</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1alpha1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1alpha1.MatchCondition
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#matchcondition-v1beta1-admissionregistration">
|
||||
[]Kubernetes admissionregistration/v1beta1.MatchCondition
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
|
|
@ -2032,7 +2032,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
|
||||
|
||||
|
||||
<span style="font-family: monospace">[]admissionregistration/v1alpha1.Validation</span>
|
||||
<span style="font-family: monospace">[]admissionregistration/v1beta1.Validation</span>
|
||||
|
||||
|
||||
</td>
|
||||
|
@ -2059,7 +2059,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
|
||||
|
||||
|
||||
<span style="font-family: monospace">admissionregistration/v1alpha1.ParamKind</span>
|
||||
<span style="font-family: monospace">admissionregistration/v1beta1.ParamKind</span>
|
||||
|
||||
|
||||
</td>
|
||||
|
@ -2086,7 +2086,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
|
||||
|
||||
|
||||
<span style="font-family: monospace">admissionregistration/v1alpha1.ParamRef</span>
|
||||
<span style="font-family: monospace">admissionregistration/v1beta1.ParamRef</span>
|
||||
|
||||
|
||||
</td>
|
||||
|
@ -2113,7 +2113,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
|
||||
|
||||
|
||||
<span style="font-family: monospace">[]admissionregistration/v1alpha1.AuditAnnotation</span>
|
||||
<span style="font-family: monospace">[]admissionregistration/v1beta1.AuditAnnotation</span>
|
||||
|
||||
|
||||
</td>
|
||||
|
@ -2140,7 +2140,7 @@ attributes for keyless verification, or a nested attestor declaration.</p>
|
|||
|
||||
|
||||
|
||||
<span style="font-family: monospace">[]admissionregistration/v1alpha1.Variable</span>
|
||||
<span style="font-family: monospace">[]admissionregistration/v1beta1.Variable</span>
|
||||
|
||||
|
||||
</td>
|
||||
|
@ -7726,7 +7726,7 @@ See: https://kyverno.io/docs/writing-policies/preconditions/</p>
|
|||
|
||||
|
||||
|
||||
<span style="font-family: monospace">[]admissionregistration/v1alpha1.MatchCondition</span>
|
||||
<span style="font-family: monospace">[]admissionregistration/v1beta1.MatchCondition</span>
|
||||
|
||||
|
||||
</td>
|
||||
|
|
|
@ -19,17 +19,17 @@ limitations under the License.
|
|||
package v1
|
||||
|
||||
import (
|
||||
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
v1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
// CELApplyConfiguration represents an declarative configuration of the CEL type for use
|
||||
// with apply.
|
||||
type CELApplyConfiguration struct {
|
||||
Expressions []v1alpha1.Validation `json:"expressions,omitempty"`
|
||||
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty"`
|
||||
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty"`
|
||||
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty"`
|
||||
Variables []v1alpha1.Variable `json:"variables,omitempty"`
|
||||
Expressions []v1beta1.Validation `json:"expressions,omitempty"`
|
||||
ParamKind *v1beta1.ParamKind `json:"paramKind,omitempty"`
|
||||
ParamRef *v1beta1.ParamRef `json:"paramRef,omitempty"`
|
||||
AuditAnnotations []v1beta1.AuditAnnotation `json:"auditAnnotations,omitempty"`
|
||||
Variables []v1beta1.Variable `json:"variables,omitempty"`
|
||||
}
|
||||
|
||||
// CELApplyConfiguration constructs an declarative configuration of the CEL type for use with
|
||||
|
@ -41,7 +41,7 @@ func CEL() *CELApplyConfiguration {
|
|||
// WithExpressions adds the given value to the Expressions field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the Expressions field.
|
||||
func (b *CELApplyConfiguration) WithExpressions(values ...v1alpha1.Validation) *CELApplyConfiguration {
|
||||
func (b *CELApplyConfiguration) WithExpressions(values ...v1beta1.Validation) *CELApplyConfiguration {
|
||||
for i := range values {
|
||||
b.Expressions = append(b.Expressions, values[i])
|
||||
}
|
||||
|
@ -51,7 +51,7 @@ func (b *CELApplyConfiguration) WithExpressions(values ...v1alpha1.Validation) *
|
|||
// WithParamKind sets the ParamKind field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ParamKind field is set to the value of the last call.
|
||||
func (b *CELApplyConfiguration) WithParamKind(value v1alpha1.ParamKind) *CELApplyConfiguration {
|
||||
func (b *CELApplyConfiguration) WithParamKind(value v1beta1.ParamKind) *CELApplyConfiguration {
|
||||
b.ParamKind = &value
|
||||
return b
|
||||
}
|
||||
|
@ -59,7 +59,7 @@ func (b *CELApplyConfiguration) WithParamKind(value v1alpha1.ParamKind) *CELAppl
|
|||
// WithParamRef sets the ParamRef field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ParamRef field is set to the value of the last call.
|
||||
func (b *CELApplyConfiguration) WithParamRef(value v1alpha1.ParamRef) *CELApplyConfiguration {
|
||||
func (b *CELApplyConfiguration) WithParamRef(value v1beta1.ParamRef) *CELApplyConfiguration {
|
||||
b.ParamRef = &value
|
||||
return b
|
||||
}
|
||||
|
@ -67,7 +67,7 @@ func (b *CELApplyConfiguration) WithParamRef(value v1alpha1.ParamRef) *CELApplyC
|
|||
// WithAuditAnnotations adds the given value to the AuditAnnotations field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the AuditAnnotations field.
|
||||
func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnnotation) *CELApplyConfiguration {
|
||||
func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1beta1.AuditAnnotation) *CELApplyConfiguration {
|
||||
for i := range values {
|
||||
b.AuditAnnotations = append(b.AuditAnnotations, values[i])
|
||||
}
|
||||
|
@ -77,7 +77,7 @@ func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnn
|
|||
// WithVariables adds the given value to the Variables field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the Variables field.
|
||||
func (b *CELApplyConfiguration) WithVariables(values ...v1alpha1.Variable) *CELApplyConfiguration {
|
||||
func (b *CELApplyConfiguration) WithVariables(values ...v1beta1.Variable) *CELApplyConfiguration {
|
||||
for i := range values {
|
||||
b.Variables = append(b.Variables, values[i])
|
||||
}
|
||||
|
|
|
@ -20,7 +20,7 @@ package v1
|
|||
|
||||
import (
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
v1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
// RuleApplyConfiguration represents an declarative configuration of the Rule type for use
|
||||
|
@ -32,7 +32,7 @@ type RuleApplyConfiguration struct {
|
|||
ExcludeResources *MatchResourcesApplyConfiguration `json:"exclude,omitempty"`
|
||||
ImageExtractors *kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty"`
|
||||
RawAnyAllConditions *kyvernov1.ConditionsWrapper `json:"preconditions,omitempty"`
|
||||
CELPreconditions []v1alpha1.MatchCondition `json:"celPreconditions,omitempty"`
|
||||
CELPreconditions []v1beta1.MatchCondition `json:"celPreconditions,omitempty"`
|
||||
Mutation *MutationApplyConfiguration `json:"mutate,omitempty"`
|
||||
Validation *ValidationApplyConfiguration `json:"validate,omitempty"`
|
||||
Generation *GenerationApplyConfiguration `json:"generate,omitempty"`
|
||||
|
@ -102,7 +102,7 @@ func (b *RuleApplyConfiguration) WithRawAnyAllConditions(value kyvernov1.Conditi
|
|||
// WithCELPreconditions adds the given value to the CELPreconditions field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the CELPreconditions field.
|
||||
func (b *RuleApplyConfiguration) WithCELPreconditions(values ...v1alpha1.MatchCondition) *RuleApplyConfiguration {
|
||||
func (b *RuleApplyConfiguration) WithCELPreconditions(values ...v1beta1.MatchCondition) *RuleApplyConfiguration {
|
||||
for i := range values {
|
||||
b.CELPreconditions = append(b.CELPreconditions, values[i])
|
||||
}
|
||||
|
|
|
@ -26,8 +26,8 @@ import (
|
|||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/client-go/dynamic"
|
||||
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
|
||||
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
|
||||
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
|
@ -50,7 +50,7 @@ type controller struct {
|
|||
// listers
|
||||
polLister kyvernov1listers.PolicyLister
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
|
||||
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
|
||||
ephrLister cache.GenericLister
|
||||
cephrLister cache.GenericLister
|
||||
|
||||
|
@ -70,7 +70,7 @@ func NewController(
|
|||
metadataFactory metadatainformers.SharedInformerFactory,
|
||||
polInformer kyvernov1informers.PolicyInformer,
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
|
||||
) controllers.Controller {
|
||||
ephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("ephemeralreports"))
|
||||
cephrInformer := metadataFactory.ForResource(reportsv1.SchemeGroupVersion.WithResource("clusterephemeralreports"))
|
||||
|
|
|
@ -26,14 +26,14 @@ import (
|
|||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
|
||||
corev1informers "k8s.io/client-go/informers/core/v1"
|
||||
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
metadatainformers "k8s.io/client-go/metadata/metadatainformer"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
|
@ -59,8 +59,8 @@ type controller struct {
|
|||
polLister kyvernov1listers.PolicyLister
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
polexLister kyvernov2listers.PolicyExceptionLister
|
||||
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
|
||||
vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
|
||||
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
|
||||
vapBindingLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyBindingLister
|
||||
bgscanrLister cache.GenericLister
|
||||
cbgscanrLister cache.GenericLister
|
||||
nsLister corev1listers.NamespaceLister
|
||||
|
@ -87,8 +87,8 @@ func NewController(
|
|||
polInformer kyvernov1informers.PolicyInformer,
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
polexInformer kyvernov2informers.PolicyExceptionInformer,
|
||||
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
|
||||
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapBindingInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyBindingInformer,
|
||||
nsInformer corev1informers.NamespaceInformer,
|
||||
metadataCache resource.MetadataCache,
|
||||
forceDelay time.Duration,
|
||||
|
@ -186,31 +186,31 @@ func (c *controller) deleteException(obj *kyvernov2.PolicyException) {
|
|||
c.enqueueResources()
|
||||
}
|
||||
|
||||
func (c *controller) addVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) addVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
c.enqueueResources()
|
||||
}
|
||||
|
||||
func (c *controller) updateVAP(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) updateVAP(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
if old.GetResourceVersion() != obj.GetResourceVersion() {
|
||||
c.enqueueResources()
|
||||
}
|
||||
}
|
||||
|
||||
func (c *controller) deleteVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) deleteVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
c.enqueueResources()
|
||||
}
|
||||
|
||||
func (c *controller) addVAPBinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) addVAPBinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
c.enqueueResources()
|
||||
}
|
||||
|
||||
func (c *controller) updateVAPBinding(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) updateVAPBinding(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
if old.GetResourceVersion() != obj.GetResourceVersion() {
|
||||
c.enqueueResources()
|
||||
}
|
||||
}
|
||||
|
||||
func (c *controller) deleteVAPBinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) deleteVAPBinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
c.enqueueResources()
|
||||
}
|
||||
|
||||
|
@ -244,7 +244,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
|
||||
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) {
|
||||
// if the reportMetadata does not exist, we need a full reconcile
|
||||
reportMetadata, err := c.getMeta(namespace, name)
|
||||
if err != nil {
|
||||
|
@ -304,7 +304,7 @@ func (c *controller) reconcileReport(
|
|||
gvk schema.GroupVersionKind,
|
||||
resource resource.Resource,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding,
|
||||
bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
|
||||
policies ...engineapi.GenericPolicy,
|
||||
) error {
|
||||
// namespace labels to be used by the scanner
|
||||
|
@ -528,7 +528,7 @@ func (c *controller) reconcile(ctx context.Context, log logr.Logger, key, namesp
|
|||
policies = append(policies, engineapi.NewValidatingAdmissionPolicy(pol))
|
||||
}
|
||||
}
|
||||
var vapBindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding
|
||||
var vapBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
|
||||
if c.vapBindingLister != nil {
|
||||
// load validating admission policy bindings
|
||||
vapBindings, err = utils.FetchValidatingAdmissionPolicyBindings(c.vapBindingLister)
|
||||
|
|
|
@ -23,8 +23,8 @@ import (
|
|||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/watch"
|
||||
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
|
||||
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
watchTools "k8s.io/client-go/tools/watch"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
|
@ -79,7 +79,7 @@ type controller struct {
|
|||
// listers
|
||||
polLister kyvernov1listers.PolicyLister
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
|
||||
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
|
||||
|
||||
// queue
|
||||
queue workqueue.TypedRateLimitingInterface[any]
|
||||
|
@ -93,7 +93,7 @@ func NewController(
|
|||
client dclient.Interface,
|
||||
polInformer kyvernov1informers.PolicyInformer,
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
|
||||
) Controller {
|
||||
c := controller{
|
||||
client: client,
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
"go.uber.org/multierr"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
|
@ -31,7 +31,7 @@ type ScanResult struct {
|
|||
}
|
||||
|
||||
type Scanner interface {
|
||||
ScanResource(context.Context, unstructured.Unstructured, map[string]string, []v1alpha1.ValidatingAdmissionPolicyBinding, ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult
|
||||
ScanResource(context.Context, unstructured.Unstructured, map[string]string, []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult
|
||||
}
|
||||
|
||||
func NewScanner(
|
||||
|
@ -50,7 +50,7 @@ func NewScanner(
|
|||
}
|
||||
}
|
||||
|
||||
func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstructured, nsLabels map[string]string, bindings []v1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult {
|
||||
func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstructured, nsLabels map[string]string, bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) map[*engineapi.GenericPolicy]ScanResult {
|
||||
results := map[*engineapi.GenericPolicy]ScanResult{}
|
||||
for i, policy := range policies {
|
||||
var errors []error
|
||||
|
|
|
@ -10,11 +10,11 @@ import (
|
|||
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
||||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
func CanBackgroundProcess(p kyvernov1.PolicyInterface) bool {
|
||||
|
@ -125,8 +125,8 @@ func FetchPolicyExceptions(polexLister kyvernov2listers.PolicyExceptionLister, n
|
|||
return exceptions, nil
|
||||
}
|
||||
|
||||
func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister) ([]admissionregistrationv1alpha1.ValidatingAdmissionPolicy, error) {
|
||||
var policies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy
|
||||
func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister) ([]admissionregistrationv1beta1.ValidatingAdmissionPolicy, error) {
|
||||
var policies []admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
if pols, err := vapLister.List(labels.Everything()); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
|
@ -137,8 +137,8 @@ func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1alpha1lis
|
|||
return policies, nil
|
||||
}
|
||||
|
||||
func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister) ([]admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding
|
||||
func FetchValidatingAdmissionPolicyBindings(vapBindingLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyBindingLister) ([]admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
var bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
|
||||
if pols, err := vapBindingLister.List(labels.Everything()); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
|
|
|
@ -22,13 +22,13 @@ import (
|
|||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
admissionregistrationv1alpha1informers "k8s.io/client-go/informers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1informers "k8s.io/client-go/informers/admissionregistration/v1beta1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
admissionregistrationv1alpha1listers "k8s.io/client-go/listers/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1listers "k8s.io/client-go/listers/admissionregistration/v1beta1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
)
|
||||
|
@ -49,8 +49,8 @@ type controller struct {
|
|||
// listers
|
||||
cpolLister kyvernov1listers.ClusterPolicyLister
|
||||
polexLister kyvernov2listers.PolicyExceptionLister
|
||||
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
|
||||
vapbindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister
|
||||
vapLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyLister
|
||||
vapbindingLister admissionregistrationv1beta1listers.ValidatingAdmissionPolicyBindingLister
|
||||
|
||||
// queue
|
||||
queue workqueue.TypedRateLimitingInterface[any]
|
||||
|
@ -65,8 +65,8 @@ func NewController(
|
|||
discoveryClient dclient.IDiscovery,
|
||||
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
||||
polexInformer kyvernov2informers.PolicyExceptionInformer,
|
||||
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapbindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer,
|
||||
vapInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyInformer,
|
||||
vapbindingInformer admissionregistrationv1beta1informers.ValidatingAdmissionPolicyBindingInformer,
|
||||
eventGen event.Interface,
|
||||
checker checker.AuthChecker,
|
||||
) controllers.Controller {
|
||||
|
@ -188,22 +188,22 @@ func (c *controller) enqueueException(obj *kyvernov2.PolicyException) {
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) addVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) addVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
c.enqueueVAP(obj)
|
||||
}
|
||||
|
||||
func (c *controller) updateVAP(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) updateVAP(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
if datautils.DeepEqual(old.Spec, obj.Spec) {
|
||||
return
|
||||
}
|
||||
c.enqueueVAP(obj)
|
||||
}
|
||||
|
||||
func (c *controller) deleteVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) deleteVAP(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
c.enqueueVAP(obj)
|
||||
}
|
||||
|
||||
func (c *controller) enqueueVAP(v *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
|
||||
func (c *controller) enqueueVAP(v *admissionregistrationv1beta1.ValidatingAdmissionPolicy) {
|
||||
if len(v.OwnerReferences) == 1 {
|
||||
if v.OwnerReferences[0].Kind == "ClusterPolicy" {
|
||||
cpol, err := c.cpolLister.Get(v.OwnerReferences[0].Name)
|
||||
|
@ -215,22 +215,22 @@ func (c *controller) enqueueVAP(v *admissionregistrationv1alpha1.ValidatingAdmis
|
|||
}
|
||||
}
|
||||
|
||||
func (c *controller) addVAPbinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) addVAPbinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
c.enqueueVAPbinding(obj)
|
||||
}
|
||||
|
||||
func (c *controller) updateVAPbinding(old, obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) updateVAPbinding(old, obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
if datautils.DeepEqual(old.Spec, obj.Spec) {
|
||||
return
|
||||
}
|
||||
c.enqueueVAPbinding(obj)
|
||||
}
|
||||
|
||||
func (c *controller) deleteVAPbinding(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) deleteVAPbinding(obj *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
c.enqueueVAPbinding(obj)
|
||||
}
|
||||
|
||||
func (c *controller) enqueueVAPbinding(vb *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (c *controller) enqueueVAPbinding(vb *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
if len(vb.OwnerReferences) == 1 {
|
||||
if vb.OwnerReferences[0].Kind == "ClusterPolicy" {
|
||||
cpol, err := c.cpolLister.Get(vb.OwnerReferences[0].Name)
|
||||
|
@ -250,7 +250,7 @@ func (c *controller) getClusterPolicy(name string) (*kyvernov1.ClusterPolicy, er
|
|||
return cpolicy, nil
|
||||
}
|
||||
|
||||
func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1alpha1.ValidatingAdmissionPolicy, error) {
|
||||
func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregistrationv1beta1.ValidatingAdmissionPolicy, error) {
|
||||
vap, err := c.vapLister.Get(name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -258,7 +258,7 @@ func (c *controller) getValidatingAdmissionPolicy(name string) (*admissionregist
|
|||
return vap, nil
|
||||
}
|
||||
|
||||
func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, error) {
|
||||
func (c *controller) getValidatingAdmissionPolicyBinding(name string) (*admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
vapbinding, err := c.vapbindingLister.Get(name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -328,14 +328,14 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
if ok, msg := validatingadmissionpolicy.CanGenerateVAP(spec, exceptions); !ok {
|
||||
// delete the ValidatingAdmissionPolicy if exist
|
||||
if vapErr == nil {
|
||||
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
|
||||
err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
// delete the ValidatingAdmissionPolicyBinding if exist
|
||||
if vapBindingErr == nil {
|
||||
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
|
||||
err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -353,7 +353,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
c.updateClusterPolicyStatus(ctx, *policy, false, vapErr.Error())
|
||||
return vapErr
|
||||
}
|
||||
observedVAP = &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
|
||||
observedVAP = &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: vapName,
|
||||
},
|
||||
|
@ -365,7 +365,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
c.updateClusterPolicyStatus(ctx, *policy, false, vapBindingErr.Error())
|
||||
return vapBindingErr
|
||||
}
|
||||
observedVAPbinding = &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
|
||||
observedVAPbinding = &admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: vapBindingName,
|
||||
},
|
||||
|
@ -378,7 +378,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
|
||||
return err
|
||||
}
|
||||
_, err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Create(ctx, observedVAP, metav1.CreateOptions{})
|
||||
_, err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies().Create(ctx, observedVAP, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
|
||||
return err
|
||||
|
@ -387,8 +387,8 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
_, err = controllerutils.Update(
|
||||
ctx,
|
||||
observedVAP,
|
||||
c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies(),
|
||||
func(observed *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) error {
|
||||
c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicies(),
|
||||
func(observed *admissionregistrationv1beta1.ValidatingAdmissionPolicy) error {
|
||||
return validatingadmissionpolicy.BuildValidatingAdmissionPolicy(c.discoveryClient, observed, policy, exceptions)
|
||||
})
|
||||
if err != nil {
|
||||
|
@ -403,7 +403,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
|
||||
return err
|
||||
}
|
||||
_, err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Create(ctx, observedVAPbinding, metav1.CreateOptions{})
|
||||
_, err = c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings().Create(ctx, observedVAPbinding, metav1.CreateOptions{})
|
||||
if err != nil {
|
||||
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
|
||||
return err
|
||||
|
@ -412,8 +412,8 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
_, err = controllerutils.Update(
|
||||
ctx,
|
||||
observedVAPbinding,
|
||||
c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings(),
|
||||
func(observed *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) error {
|
||||
c.client.AdmissionregistrationV1beta1().ValidatingAdmissionPolicyBindings(),
|
||||
func(observed *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) error {
|
||||
return validatingadmissionpolicy.BuildValidatingAdmissionPolicyBinding(observed, policy)
|
||||
})
|
||||
if err != nil {
|
||||
|
|
|
@ -2,7 +2,7 @@ package api
|
|||
|
||||
import (
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
|
@ -22,7 +22,7 @@ type GenericPolicy interface {
|
|||
// AsKyvernoPolicy returns the kyverno policy
|
||||
AsKyvernoPolicy() kyvernov1.PolicyInterface
|
||||
// AsValidatingAdmissionPolicy returns the validating admission policy
|
||||
AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
|
||||
AsValidatingAdmissionPolicy() *admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
// GetType returns policy type
|
||||
GetType() PolicyType
|
||||
// GetAPIVersion returns policy API version
|
||||
|
@ -51,7 +51,7 @@ func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
|
|||
return p.policy
|
||||
}
|
||||
|
||||
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
|
||||
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -98,14 +98,14 @@ func NewKyvernoPolicy(pol kyvernov1.PolicyInterface) GenericPolicy {
|
|||
}
|
||||
|
||||
type ValidatingAdmissionPolicy struct {
|
||||
policy v1alpha1.ValidatingAdmissionPolicy
|
||||
policy admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
}
|
||||
|
||||
func (p *ValidatingAdmissionPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
|
||||
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *admissionregistrationv1beta1.ValidatingAdmissionPolicy {
|
||||
return &p.policy
|
||||
}
|
||||
|
||||
|
@ -114,7 +114,7 @@ func (p *ValidatingAdmissionPolicy) GetType() PolicyType {
|
|||
}
|
||||
|
||||
func (p *ValidatingAdmissionPolicy) GetAPIVersion() string {
|
||||
return "admissionregistration.k8s.io/v1alpha1"
|
||||
return "admissionregistration.k8s.io/v1beta1"
|
||||
}
|
||||
|
||||
func (p *ValidatingAdmissionPolicy) GetName() string {
|
||||
|
@ -145,7 +145,7 @@ func (p *ValidatingAdmissionPolicy) MetaObject() metav1.Object {
|
|||
return &p.policy
|
||||
}
|
||||
|
||||
func NewValidatingAdmissionPolicy(pol v1alpha1.ValidatingAdmissionPolicy) GenericPolicy {
|
||||
func NewValidatingAdmissionPolicy(pol admissionregistrationv1beta1.ValidatingAdmissionPolicy) GenericPolicy {
|
||||
return &ValidatingAdmissionPolicy{
|
||||
policy: pol,
|
||||
}
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
|
||||
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
||||
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
|
@ -46,7 +46,7 @@ type RuleResponse struct {
|
|||
// exceptions are the exceptions applied (if any)
|
||||
exceptions []kyvernov2.PolicyException
|
||||
// binding is the validatingadmissionpolicybinding (if any)
|
||||
binding *v1alpha1.ValidatingAdmissionPolicyBinding
|
||||
binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
|
||||
// emitWarning enable passing rule message as warning to api server warning header
|
||||
emitWarning bool
|
||||
}
|
||||
|
@ -93,7 +93,7 @@ func (r RuleResponse) WithExceptions(exceptions []kyvernov2.PolicyException) *Ru
|
|||
return &r
|
||||
}
|
||||
|
||||
func (r RuleResponse) WithBinding(binding *v1alpha1.ValidatingAdmissionPolicyBinding) *RuleResponse {
|
||||
func (r RuleResponse) WithBinding(binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) *RuleResponse {
|
||||
r.binding = binding
|
||||
return &r
|
||||
}
|
||||
|
@ -133,7 +133,7 @@ func (r *RuleResponse) Exceptions() []kyvernov2.PolicyException {
|
|||
return r.exceptions
|
||||
}
|
||||
|
||||
func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *v1alpha1.ValidatingAdmissionPolicyBinding {
|
||||
func (r *RuleResponse) ValidatingAdmissionPolicyBinding() *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding {
|
||||
return r.binding
|
||||
}
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ import (
|
|||
celutils "github.com/kyverno/kyverno/pkg/utils/cel"
|
||||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
vaputils "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
@ -215,7 +215,7 @@ func (h validateCELHandler) Process(
|
|||
)
|
||||
}
|
||||
|
||||
func collectParams(ctx context.Context, client engineapi.Client, paramKind *admissionregistrationv1alpha1.ParamKind, paramRef *admissionregistrationv1alpha1.ParamRef, namespace string) ([]runtime.Object, error) {
|
||||
func collectParams(ctx context.Context, client engineapi.Client, paramKind *admissionregistrationv1beta1.ParamKind, paramRef *admissionregistrationv1beta1.ParamRef, namespace string) ([]runtime.Object, error) {
|
||||
var params []runtime.Object
|
||||
|
||||
apiVersion := paramKind.APIVersion
|
||||
|
@ -266,7 +266,7 @@ func collectParams(ctx context.Context, client engineapi.Client, paramKind *admi
|
|||
}
|
||||
}
|
||||
|
||||
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == admissionregistrationv1alpha1.DenyAction {
|
||||
if len(params) == 0 && paramRef.ParameterNotFoundAction != nil && *paramRef.ParameterNotFoundAction == admissionregistrationv1beta1.DenyAction {
|
||||
return nil, fmt.Errorf("no params found")
|
||||
}
|
||||
|
||||
|
|
|
@ -347,7 +347,7 @@ func NewValidatingAdmissionPolicyEvent(policy kyvernov1.PolicyInterface, vapName
|
|||
vapEvent := Info{
|
||||
Regarding: regarding,
|
||||
Related: &corev1.ObjectReference{
|
||||
APIVersion: "admissionregistration.k8s.io/v1alpha1",
|
||||
APIVersion: "admissionregistration.k8s.io/v1beta1",
|
||||
Kind: "ValidatingAdmissionPolicy",
|
||||
Name: vapName,
|
||||
},
|
||||
|
@ -359,7 +359,7 @@ func NewValidatingAdmissionPolicyEvent(policy kyvernov1.PolicyInterface, vapName
|
|||
vapBindingEvent := Info{
|
||||
Regarding: regarding,
|
||||
Related: &corev1.ObjectReference{
|
||||
APIVersion: "admissionregistration.k8s.io/v1alpha1",
|
||||
APIVersion: "admissionregistration.k8s.io/v1beta1",
|
||||
Kind: "ValidatingAdmissionPolicyBinding",
|
||||
Name: vapBindingName,
|
||||
},
|
||||
|
|
|
@ -2,7 +2,7 @@ package cel
|
|||
|
||||
import (
|
||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apiserver/pkg/admission/plugin/cel"
|
||||
"k8s.io/apiserver/pkg/admission/plugin/policy/validating"
|
||||
"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
|
||||
|
@ -12,17 +12,17 @@ import (
|
|||
type Compiler struct {
|
||||
compositedCompiler cel.CompositedCompiler
|
||||
// CEL expressions
|
||||
validateExpressions []admissionregistrationv1alpha1.Validation
|
||||
auditAnnotationExpressions []admissionregistrationv1alpha1.AuditAnnotation
|
||||
validateExpressions []admissionregistrationv1beta1.Validation
|
||||
auditAnnotationExpressions []admissionregistrationv1beta1.AuditAnnotation
|
||||
matchExpressions []admissionregistrationv1.MatchCondition
|
||||
variables []admissionregistrationv1alpha1.Variable
|
||||
variables []admissionregistrationv1beta1.Variable
|
||||
}
|
||||
|
||||
func NewCompiler(
|
||||
validations []admissionregistrationv1alpha1.Validation,
|
||||
auditAnnotations []admissionregistrationv1alpha1.AuditAnnotation,
|
||||
validations []admissionregistrationv1beta1.Validation,
|
||||
auditAnnotations []admissionregistrationv1beta1.AuditAnnotation,
|
||||
matchConditions []admissionregistrationv1.MatchCondition,
|
||||
variables []admissionregistrationv1alpha1.Variable,
|
||||
variables []admissionregistrationv1beta1.Variable,
|
||||
) (*Compiler, error) {
|
||||
compositedCompiler, err := cel.NewCompositedCompiler(environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), false))
|
||||
if err != nil {
|
||||
|
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
fuzz "github.com/AdaLogics/go-fuzz-headers"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
)
|
||||
|
||||
func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error) {
|
||||
|
@ -200,7 +200,7 @@ func createRule(f *fuzz.ConsumeFuzzer) (*kyvernov1.Rule, error) {
|
|||
return rule, err
|
||||
}
|
||||
if setCELPreconditions {
|
||||
celp := make([]admissionregistrationv1alpha1.MatchCondition, 0)
|
||||
celp := make([]admissionregistrationv1beta1.MatchCondition, 0)
|
||||
err = f.CreateSlice(&celp)
|
||||
if err != nil {
|
||||
return rule, err
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
|
@ -89,7 +89,7 @@ func PolicyExceptionLabel(exception kyvernov2.PolicyException) string {
|
|||
return LabelPrefixPolicyException + exception.GetName()
|
||||
}
|
||||
|
||||
func ValidatingAdmissionPolicyBindingLabel(binding admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) string {
|
||||
func ValidatingAdmissionPolicyBindingLabel(binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) string {
|
||||
return LabelPrefixValidatingAdmissionPolicyBinding + binding.GetName()
|
||||
}
|
||||
|
||||
|
@ -168,7 +168,7 @@ func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyverno
|
|||
controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
|
||||
}
|
||||
|
||||
func SetValidatingAdmissionPolicyBindingLabel(report reportsv1.ReportInterface, binding admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func SetValidatingAdmissionPolicyBindingLabel(report reportsv1.ReportInterface, binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
controllerutils.SetLabel(report, ValidatingAdmissionPolicyBindingLabel(binding), binding.GetResourceVersion())
|
||||
}
|
||||
|
||||
|
|
|
@ -8,14 +8,14 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
extyaml "github.com/kyverno/kyverno/ext/yaml"
|
||||
log "github.com/kyverno/kyverno/pkg/logging"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/yaml"
|
||||
)
|
||||
|
||||
// GetPolicy extracts policies from YAML bytes
|
||||
func GetPolicy(bytes []byte) (policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []v1alpha1.ValidatingAdmissionPolicyBinding, err error) {
|
||||
func GetPolicy(bytes []byte) (policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, err error) {
|
||||
documents, err := extyaml.SplitDocuments(bytes)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
|
@ -51,11 +51,11 @@ func GetPolicy(bytes []byte) (policies []kyvernov1.PolicyInterface, validatingAd
|
|||
return policies, validatingAdmissionPolicies, validatingAdmissionPolicyBindings, err
|
||||
}
|
||||
|
||||
func addPolicy(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []v1alpha1.ValidatingAdmissionPolicyBinding, us *unstructured.Unstructured) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, []v1alpha1.ValidatingAdmissionPolicyBinding, error) {
|
||||
func addPolicy(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies []admissionregistrationv1beta1.ValidatingAdmissionPolicy, validatingAdmissionPolicyBindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, us *unstructured.Unstructured) ([]kyvernov1.PolicyInterface, []admissionregistrationv1beta1.ValidatingAdmissionPolicy, []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding, error) {
|
||||
kind := us.GetKind()
|
||||
|
||||
if strings.Compare(kind, "ValidatingAdmissionPolicy") == 0 {
|
||||
validatingAdmissionPolicy := v1alpha1.ValidatingAdmissionPolicy{}
|
||||
validatingAdmissionPolicy := admissionregistrationv1beta1.ValidatingAdmissionPolicy{}
|
||||
|
||||
if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(us.Object, &validatingAdmissionPolicy, true); err != nil {
|
||||
return policies, nil, validatingAdmissionPolicyBindings, fmt.Errorf("failed to decode policy: %v", err)
|
||||
|
@ -68,7 +68,7 @@ func addPolicy(policies []kyvernov1.PolicyInterface, validatingAdmissionPolicies
|
|||
|
||||
validatingAdmissionPolicies = append(validatingAdmissionPolicies, validatingAdmissionPolicy)
|
||||
} else if strings.Compare(kind, "ValidatingAdmissionPolicyBinding") == 0 {
|
||||
validatingAdmissionPolicyBinding := v1alpha1.ValidatingAdmissionPolicyBinding{}
|
||||
validatingAdmissionPolicyBinding := admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding{}
|
||||
|
||||
if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(us.Object, &validatingAdmissionPolicyBinding, true); err != nil {
|
||||
return policies, validatingAdmissionPolicies, nil, fmt.Errorf("failed to decode policy: %v", err)
|
||||
|
|
|
@ -303,7 +303,7 @@ items:
|
|||
name: "ValidatingAdmissionPolicy",
|
||||
args: args{
|
||||
[]byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "demo-policy.example.com"
|
||||
|
@ -326,7 +326,7 @@ spec:
|
|||
name: "ValidatingAdmissionPolicy and Policy",
|
||||
args: args{
|
||||
[]byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "demo-policy.example.com"
|
||||
|
@ -380,7 +380,7 @@ spec:
|
|||
name: "ValidatingAdmissionPolicy and ClusterPolicy",
|
||||
args: args{
|
||||
[]byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "demo-policy.example.com"
|
||||
|
@ -433,7 +433,7 @@ spec:
|
|||
name: "ValidatingAdmissionPolicyBinding",
|
||||
args: args{
|
||||
[]byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
name: "demo-binding-test.example.com"
|
||||
|
@ -453,7 +453,7 @@ spec:
|
|||
name: "ValidatingAdmissionPolicy and its binding",
|
||||
args: args{
|
||||
[]byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "demo-policy.example.com"
|
||||
|
@ -468,7 +468,7 @@ spec:
|
|||
validations:
|
||||
- expression: "object.spec.replicas <= 5"
|
||||
---
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
name: "demo-binding-test.example.com"
|
||||
|
|
|
@ -4,7 +4,7 @@ import (
|
|||
"context"
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
|
@ -14,23 +14,23 @@ import (
|
|||
// Everything someone might need to validate a single ValidatingPolicyDefinition
|
||||
// against all of its registered bindings.
|
||||
type PolicyData struct {
|
||||
definition v1alpha1.ValidatingAdmissionPolicy
|
||||
bindings []v1alpha1.ValidatingAdmissionPolicyBinding
|
||||
definition admissionregistrationv1beta1.ValidatingAdmissionPolicy
|
||||
bindings []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding
|
||||
}
|
||||
|
||||
func (p *PolicyData) AddBinding(binding v1alpha1.ValidatingAdmissionPolicyBinding) {
|
||||
func (p *PolicyData) AddBinding(binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) {
|
||||
p.bindings = append(p.bindings, binding)
|
||||
}
|
||||
|
||||
func (p *PolicyData) GetDefinition() v1alpha1.ValidatingAdmissionPolicy {
|
||||
func (p *PolicyData) GetDefinition() admissionregistrationv1beta1.ValidatingAdmissionPolicy {
|
||||
return p.definition
|
||||
}
|
||||
|
||||
func (p *PolicyData) GetBindings() []v1alpha1.ValidatingAdmissionPolicyBinding {
|
||||
func (p *PolicyData) GetBindings() []admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding {
|
||||
return p.bindings
|
||||
}
|
||||
|
||||
func NewPolicyData(policy v1alpha1.ValidatingAdmissionPolicy) PolicyData {
|
||||
func NewPolicyData(policy admissionregistrationv1beta1.ValidatingAdmissionPolicy) PolicyData {
|
||||
return PolicyData{
|
||||
definition: policy,
|
||||
}
|
||||
|
|
|
@ -10,14 +10,14 @@ import (
|
|||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// BuildValidatingAdmissionPolicy is used to build a Kubernetes ValidatingAdmissionPolicy from a Kyverno policy
|
||||
func BuildValidatingAdmissionPolicy(
|
||||
discoveryClient dclient.IDiscovery,
|
||||
vap *admissionregistrationv1alpha1.ValidatingAdmissionPolicy,
|
||||
vap *admissionregistrationv1beta1.ValidatingAdmissionPolicy,
|
||||
cpol kyvernov1.PolicyInterface,
|
||||
exceptions []kyvernov2.PolicyException,
|
||||
) error {
|
||||
|
@ -32,8 +32,8 @@ func BuildValidatingAdmissionPolicy(
|
|||
}
|
||||
|
||||
// construct the rules
|
||||
var matchResources admissionregistrationv1alpha1.MatchResources
|
||||
var matchRules, excludeRules []admissionregistrationv1alpha1.NamedRuleWithOperations
|
||||
var matchResources admissionregistrationv1beta1.MatchResources
|
||||
var matchRules, excludeRules []admissionregistrationv1beta1.NamedRuleWithOperations
|
||||
|
||||
rule := cpol.GetSpec().Rules[0]
|
||||
|
||||
|
@ -92,7 +92,7 @@ func BuildValidatingAdmissionPolicy(
|
|||
}
|
||||
|
||||
// set policy spec
|
||||
vap.Spec = admissionregistrationv1alpha1.ValidatingAdmissionPolicySpec{
|
||||
vap.Spec = admissionregistrationv1beta1.ValidatingAdmissionPolicySpec{
|
||||
MatchConstraints: &matchResources,
|
||||
ParamKind: rule.Validation.CEL.ParamKind,
|
||||
Variables: rule.Validation.CEL.Variables,
|
||||
|
@ -108,7 +108,7 @@ func BuildValidatingAdmissionPolicy(
|
|||
|
||||
// BuildValidatingAdmissionPolicyBinding is used to build a Kubernetes ValidatingAdmissionPolicyBinding from a Kyverno policy
|
||||
func BuildValidatingAdmissionPolicyBinding(
|
||||
vapbinding *admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding,
|
||||
vapbinding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
|
||||
cpol kyvernov1.PolicyInterface,
|
||||
) error {
|
||||
// set owner reference
|
||||
|
@ -122,28 +122,28 @@ func BuildValidatingAdmissionPolicyBinding(
|
|||
}
|
||||
|
||||
// set validation action for vap binding
|
||||
var validationActions []admissionregistrationv1alpha1.ValidationAction
|
||||
var validationActions []admissionregistrationv1beta1.ValidationAction
|
||||
validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
|
||||
if validateAction != nil {
|
||||
if validateAction.Enforce() {
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
||||
validationActions = append(validationActions, admissionregistrationv1beta1.Deny)
|
||||
} else if validateAction.Audit() {
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Audit)
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Warn)
|
||||
validationActions = append(validationActions, admissionregistrationv1beta1.Audit)
|
||||
validationActions = append(validationActions, admissionregistrationv1beta1.Warn)
|
||||
}
|
||||
} else {
|
||||
validateAction := cpol.GetSpec().ValidationFailureAction
|
||||
if validateAction.Enforce() {
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
||||
validationActions = append(validationActions, admissionregistrationv1beta1.Deny)
|
||||
} else if validateAction.Audit() {
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Audit)
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Warn)
|
||||
validationActions = append(validationActions, admissionregistrationv1beta1.Audit)
|
||||
validationActions = append(validationActions, admissionregistrationv1beta1.Warn)
|
||||
}
|
||||
}
|
||||
|
||||
// set validating admission policy binding spec
|
||||
rule := cpol.GetSpec().Rules[0]
|
||||
vapbinding.Spec = admissionregistrationv1alpha1.ValidatingAdmissionPolicyBindingSpec{
|
||||
vapbinding.Spec = admissionregistrationv1beta1.ValidatingAdmissionPolicyBindingSpec{
|
||||
PolicyName: cpol.GetName(),
|
||||
ParamRef: rule.Validation.CEL.ParamRef,
|
||||
ValidationActions: validationActions,
|
||||
|
@ -155,8 +155,8 @@ func BuildValidatingAdmissionPolicyBinding(
|
|||
}
|
||||
|
||||
func translateResourceFilters(discoveryClient dclient.IDiscovery,
|
||||
matchResources *admissionregistrationv1alpha1.MatchResources,
|
||||
rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations,
|
||||
matchResources *admissionregistrationv1beta1.MatchResources,
|
||||
rules *[]admissionregistrationv1beta1.NamedRuleWithOperations,
|
||||
resFilters kyvernov1.ResourceFilters,
|
||||
isMatch bool,
|
||||
) error {
|
||||
|
@ -171,8 +171,8 @@ func translateResourceFilters(discoveryClient dclient.IDiscovery,
|
|||
|
||||
func translateResource(
|
||||
discoveryClient dclient.IDiscovery,
|
||||
matchResources *admissionregistrationv1alpha1.MatchResources,
|
||||
rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations,
|
||||
matchResources *admissionregistrationv1beta1.MatchResources,
|
||||
rules *[]admissionregistrationv1beta1.NamedRuleWithOperations,
|
||||
res kyvernov1.ResourceDescription,
|
||||
isMatch bool,
|
||||
) error {
|
||||
|
@ -206,7 +206,7 @@ func translateResource(
|
|||
|
||||
func constructValidatingAdmissionPolicyRules(
|
||||
discoveryClient dclient.IDiscovery,
|
||||
rules *[]admissionregistrationv1alpha1.NamedRuleWithOperations,
|
||||
rules *[]admissionregistrationv1beta1.NamedRuleWithOperations,
|
||||
res kyvernov1.ResourceDescription,
|
||||
isMatch bool,
|
||||
) error {
|
||||
|
@ -226,7 +226,7 @@ func constructValidatingAdmissionPolicyRules(
|
|||
// apiVersions: ["version"]
|
||||
// resources: ["resource"]
|
||||
for _, kind := range res.Kinds {
|
||||
var r admissionregistrationv1alpha1.NamedRuleWithOperations
|
||||
var r admissionregistrationv1beta1.NamedRuleWithOperations
|
||||
|
||||
if kind == "*" {
|
||||
r = buildNamedRuleWithOperations(resourceNames, "*", "*", ops, "*")
|
||||
|
@ -270,7 +270,7 @@ func constructValidatingAdmissionPolicyRules(
|
|||
|
||||
// if exclude block has namespaces but no kinds, we need to add a rule for the namespaces
|
||||
if !isMatch && len(res.Namespaces) > 0 && len(res.Kinds) == 0 {
|
||||
r := admissionregistrationv1alpha1.NamedRuleWithOperations{
|
||||
r := admissionregistrationv1beta1.NamedRuleWithOperations{
|
||||
ResourceNames: res.Namespaces,
|
||||
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
|
||||
Rule: admissionregistrationv1.Rule{
|
||||
|
@ -291,8 +291,8 @@ func buildNamedRuleWithOperations(
|
|||
group, version string,
|
||||
operations []admissionregistrationv1.OperationType,
|
||||
resources ...string,
|
||||
) admissionregistrationv1alpha1.NamedRuleWithOperations {
|
||||
return admissionregistrationv1alpha1.NamedRuleWithOperations{
|
||||
) admissionregistrationv1beta1.NamedRuleWithOperations {
|
||||
return admissionregistrationv1beta1.NamedRuleWithOperations{
|
||||
ResourceNames: resourceNames,
|
||||
RuleWithOperations: admissionregistrationv1.RuleWithOperations{
|
||||
Rule: admissionregistrationv1.Rule{
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
package validatingadmissionpolicy
|
||||
|
||||
import (
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apimachinery/pkg/api/meta"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
|
@ -14,7 +14,7 @@ import (
|
|||
// - if the object selector matches the resource
|
||||
// - if the resource is excluded by the policy/binding
|
||||
// - if the resource matches the policy/binding rules
|
||||
func matches(attr admission.Attributes, namespaceSelectorMap map[string]map[string]string, matchCriteria admissionregistrationv1alpha1.MatchResources) (bool, error) {
|
||||
func matches(attr admission.Attributes, namespaceSelectorMap map[string]map[string]string, matchCriteria admissionregistrationv1beta1.MatchResources) (bool, error) {
|
||||
// check if the namespace selector matches the resource namespace
|
||||
if matchCriteria.NamespaceSelector != nil {
|
||||
if len(matchCriteria.NamespaceSelector.MatchLabels) > 0 || len(matchCriteria.NamespaceSelector.MatchExpressions) > 0 {
|
||||
|
@ -66,7 +66,7 @@ func matches(attr admission.Attributes, namespaceSelectorMap map[string]map[stri
|
|||
return true, nil
|
||||
}
|
||||
|
||||
func matchesResourceRules(resourceRules []admissionregistrationv1alpha1.NamedRuleWithOperations, attr admission.Attributes) bool {
|
||||
func matchesResourceRules(resourceRules []admissionregistrationv1beta1.NamedRuleWithOperations, attr admission.Attributes) bool {
|
||||
for _, r := range resourceRules {
|
||||
ruleMatcher := rules.Matcher{
|
||||
Rule: r.RuleWithOperations,
|
||||
|
|
|
@ -19,20 +19,20 @@ func hasPermissions(resource schema.GroupVersionResource, s checker.AuthChecker)
|
|||
// HasValidatingAdmissionPolicyPermission check if the admission controller has the required permissions to generate
|
||||
// Kubernetes ValidatingAdmissionPolicy
|
||||
func HasValidatingAdmissionPolicyPermission(s checker.AuthChecker) bool {
|
||||
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Resource: "validatingadmissionpolicies"}
|
||||
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1beta1", Resource: "validatingadmissionpolicies"}
|
||||
return hasPermissions(gvr, s)
|
||||
}
|
||||
|
||||
// HasValidatingAdmissionPolicyBindingPermission check if the admission controller has the required permissions to generate
|
||||
// Kubernetes ValidatingAdmissionPolicyBinding
|
||||
func HasValidatingAdmissionPolicyBindingPermission(s checker.AuthChecker) bool {
|
||||
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1alpha1", Resource: "validatingadmissionpolicybindings"}
|
||||
gvr := schema.GroupVersionResource{Group: "admissionregistration.k8s.io", Version: "v1beta1", Resource: "validatingadmissionpolicybindings"}
|
||||
return hasPermissions(gvr, s)
|
||||
}
|
||||
|
||||
// IsValidatingAdmissionPolicyRegistered checks if ValidatingAdmissionPolicies are registered in the API Server
|
||||
func IsValidatingAdmissionPolicyRegistered(kubeClient kubernetes.Interface) (bool, error) {
|
||||
groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1alpha1"}
|
||||
groupVersion := schema.GroupVersion{Group: "admissionregistration.k8s.io", Version: "v1beta1"}
|
||||
if _, err := kubeClient.Discovery().ServerResourcesForGroupVersion(groupVersion.String()); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
|
|
@ -14,7 +14,7 @@ import (
|
|||
"golang.org/x/text/cases"
|
||||
"golang.org/x/text/language"
|
||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||
"k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
@ -29,7 +29,7 @@ import (
|
|||
celconfig "k8s.io/apiserver/pkg/apis/cel"
|
||||
)
|
||||
|
||||
func GetKinds(policy v1alpha1.ValidatingAdmissionPolicy) []string {
|
||||
func GetKinds(policy admissionregistrationv1beta1.ValidatingAdmissionPolicy) []string {
|
||||
var kindList []string
|
||||
|
||||
matchResources := policy.Spec.MatchConstraints
|
||||
|
@ -120,7 +120,7 @@ func Validate(
|
|||
nsLister := NewCustomNamespaceLister(client)
|
||||
matcher := generic.NewPolicyMatcher(matching.NewMatcher(nsLister, client.GetKubeClient()))
|
||||
|
||||
// convert policy from v1alpha1 to v1
|
||||
// convert policy from v1beta1 to v1
|
||||
v1policy := ConvertValidatingAdmissionPolicy(policy)
|
||||
|
||||
// construct admission attributes
|
||||
|
@ -179,8 +179,8 @@ func Validate(
|
|||
}
|
||||
|
||||
func validateResource(
|
||||
policy v1alpha1.ValidatingAdmissionPolicy,
|
||||
binding *v1alpha1.ValidatingAdmissionPolicyBinding,
|
||||
policy admissionregistrationv1beta1.ValidatingAdmissionPolicy,
|
||||
binding *admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding,
|
||||
resource unstructured.Unstructured,
|
||||
namespace corev1.Namespace,
|
||||
a admission.Attributes,
|
||||
|
@ -208,9 +208,9 @@ func validateResource(
|
|||
failPolicy = admissionregistrationv1.FailurePolicyType(*policy.Spec.FailurePolicy)
|
||||
}
|
||||
|
||||
var matchPolicy v1alpha1.MatchPolicyType
|
||||
var matchPolicy admissionregistrationv1beta1.MatchPolicyType
|
||||
if policy.Spec.MatchConstraints.MatchPolicy == nil {
|
||||
matchPolicy = v1alpha1.Equivalent
|
||||
matchPolicy = admissionregistrationv1beta1.Equivalent
|
||||
} else {
|
||||
matchPolicy = *policy.Spec.MatchConstraints.MatchPolicy
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@ func TestGetKinds(t *testing.T) {
|
|||
{
|
||||
name: "Matching pods",
|
||||
policy: []byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "policy-1"
|
||||
|
@ -38,7 +38,7 @@ spec:
|
|||
{
|
||||
name: "Matching deployments, replicasets, daemonsets and statefulsets",
|
||||
policy: []byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "policy-2"
|
||||
|
@ -58,7 +58,7 @@ spec:
|
|||
{
|
||||
name: "Matching deployments/scale",
|
||||
policy: []byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "policy-3"
|
||||
|
@ -78,7 +78,7 @@ spec:
|
|||
{
|
||||
name: "Matching jobs and cronjobs",
|
||||
policy: []byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "policy-4"
|
||||
|
@ -98,7 +98,7 @@ spec:
|
|||
{
|
||||
name: "Multiple resource rules",
|
||||
policy: []byte(`
|
||||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "policy-5"
|
||||
|
|
|
@ -2,71 +2,71 @@ package validatingadmissionpolicy
|
|||
|
||||
import (
|
||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// ConvertValidatingAdmissionPolicy is used to convert v1alpha1 of ValidatingAdmissionPolicy to v1
|
||||
func ConvertValidatingAdmissionPolicy(v1alpha1policy admissionregistrationv1alpha1.ValidatingAdmissionPolicy) admissionregistrationv1.ValidatingAdmissionPolicy {
|
||||
// ConvertValidatingAdmissionPolicy is used to convert v1beta1 of ValidatingAdmissionPolicy to v1
|
||||
func ConvertValidatingAdmissionPolicy(v1beta1policy admissionregistrationv1beta1.ValidatingAdmissionPolicy) admissionregistrationv1.ValidatingAdmissionPolicy {
|
||||
var namespaceSelector, objectSelector metav1.LabelSelector
|
||||
if v1alpha1policy.Spec.MatchConstraints.NamespaceSelector != nil {
|
||||
namespaceSelector = *v1alpha1policy.Spec.MatchConstraints.NamespaceSelector
|
||||
if v1beta1policy.Spec.MatchConstraints.NamespaceSelector != nil {
|
||||
namespaceSelector = *v1beta1policy.Spec.MatchConstraints.NamespaceSelector
|
||||
}
|
||||
if v1alpha1policy.Spec.MatchConstraints.ObjectSelector != nil {
|
||||
objectSelector = *v1alpha1policy.Spec.MatchConstraints.ObjectSelector
|
||||
if v1beta1policy.Spec.MatchConstraints.ObjectSelector != nil {
|
||||
objectSelector = *v1beta1policy.Spec.MatchConstraints.ObjectSelector
|
||||
}
|
||||
v1beta1policy := admissionregistrationv1.ValidatingAdmissionPolicy{
|
||||
v1policy := admissionregistrationv1.ValidatingAdmissionPolicy{
|
||||
Spec: admissionregistrationv1.ValidatingAdmissionPolicySpec{
|
||||
FailurePolicy: (*admissionregistrationv1.FailurePolicyType)(v1alpha1policy.Spec.FailurePolicy),
|
||||
ParamKind: (*admissionregistrationv1.ParamKind)(v1alpha1policy.Spec.ParamKind),
|
||||
FailurePolicy: (*admissionregistrationv1.FailurePolicyType)(v1beta1policy.Spec.FailurePolicy),
|
||||
ParamKind: (*admissionregistrationv1.ParamKind)(v1beta1policy.Spec.ParamKind),
|
||||
MatchConstraints: &admissionregistrationv1.MatchResources{
|
||||
NamespaceSelector: &namespaceSelector,
|
||||
ObjectSelector: &objectSelector,
|
||||
ResourceRules: convertRules(v1alpha1policy.Spec.MatchConstraints.ResourceRules),
|
||||
ExcludeResourceRules: convertRules(v1alpha1policy.Spec.MatchConstraints.ExcludeResourceRules),
|
||||
MatchPolicy: (*admissionregistrationv1.MatchPolicyType)(v1alpha1policy.Spec.MatchConstraints.MatchPolicy),
|
||||
ResourceRules: convertRules(v1beta1policy.Spec.MatchConstraints.ResourceRules),
|
||||
ExcludeResourceRules: convertRules(v1beta1policy.Spec.MatchConstraints.ExcludeResourceRules),
|
||||
MatchPolicy: (*admissionregistrationv1.MatchPolicyType)(v1beta1policy.Spec.MatchConstraints.MatchPolicy),
|
||||
},
|
||||
Validations: convertValidations(v1alpha1policy.Spec.Validations),
|
||||
AuditAnnotations: convertAuditAnnotations(v1alpha1policy.Spec.AuditAnnotations),
|
||||
MatchConditions: convertMatchConditions(v1alpha1policy.Spec.MatchConditions),
|
||||
Variables: convertVariables(v1alpha1policy.Spec.Variables),
|
||||
Validations: convertValidations(v1beta1policy.Spec.Validations),
|
||||
AuditAnnotations: convertAuditAnnotations(v1beta1policy.Spec.AuditAnnotations),
|
||||
MatchConditions: convertMatchConditions(v1beta1policy.Spec.MatchConditions),
|
||||
Variables: convertVariables(v1beta1policy.Spec.Variables),
|
||||
},
|
||||
}
|
||||
return v1beta1policy
|
||||
return v1policy
|
||||
}
|
||||
|
||||
// ConvertValidatingAdmissionPolicyBinding is used to convert v1alpha1 of ValidatingAdmissionPolicyBinding to v1beta1
|
||||
func ConvertValidatingAdmissionPolicyBinding(v1alpha1binding admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding) admissionregistrationv1.ValidatingAdmissionPolicyBinding {
|
||||
// ConvertValidatingAdmissionPolicyBinding is used to convert v1beta1 of ValidatingAdmissionPolicyBinding to v1.
|
||||
func ConvertValidatingAdmissionPolicyBinding(v1beta1binding admissionregistrationv1beta1.ValidatingAdmissionPolicyBinding) admissionregistrationv1.ValidatingAdmissionPolicyBinding {
|
||||
var namespaceSelector, objectSelector, paramSelector metav1.LabelSelector
|
||||
var resourceRules, excludeResourceRules []admissionregistrationv1alpha1.NamedRuleWithOperations
|
||||
var matchPolicy *admissionregistrationv1alpha1.MatchPolicyType
|
||||
if v1alpha1binding.Spec.MatchResources != nil {
|
||||
if v1alpha1binding.Spec.MatchResources.NamespaceSelector != nil {
|
||||
namespaceSelector = *v1alpha1binding.Spec.MatchResources.NamespaceSelector
|
||||
var resourceRules, excludeResourceRules []admissionregistrationv1beta1.NamedRuleWithOperations
|
||||
var matchPolicy *admissionregistrationv1beta1.MatchPolicyType
|
||||
if v1beta1binding.Spec.MatchResources != nil {
|
||||
if v1beta1binding.Spec.MatchResources.NamespaceSelector != nil {
|
||||
namespaceSelector = *v1beta1binding.Spec.MatchResources.NamespaceSelector
|
||||
}
|
||||
if v1alpha1binding.Spec.MatchResources.ObjectSelector != nil {
|
||||
objectSelector = *v1alpha1binding.Spec.MatchResources.ObjectSelector
|
||||
if v1beta1binding.Spec.MatchResources.ObjectSelector != nil {
|
||||
objectSelector = *v1beta1binding.Spec.MatchResources.ObjectSelector
|
||||
}
|
||||
resourceRules = v1alpha1binding.Spec.MatchResources.ResourceRules
|
||||
excludeResourceRules = v1alpha1binding.Spec.MatchResources.ExcludeResourceRules
|
||||
matchPolicy = v1alpha1binding.Spec.MatchResources.MatchPolicy
|
||||
resourceRules = v1beta1binding.Spec.MatchResources.ResourceRules
|
||||
excludeResourceRules = v1beta1binding.Spec.MatchResources.ExcludeResourceRules
|
||||
matchPolicy = v1beta1binding.Spec.MatchResources.MatchPolicy
|
||||
}
|
||||
|
||||
var paramRef admissionregistrationv1.ParamRef
|
||||
if v1alpha1binding.Spec.ParamRef != nil {
|
||||
paramRef.Name = v1alpha1binding.Spec.ParamRef.Name
|
||||
paramRef.Namespace = v1alpha1binding.Spec.ParamRef.Namespace
|
||||
if v1alpha1binding.Spec.ParamRef.Selector != nil {
|
||||
paramRef.Selector = v1alpha1binding.Spec.ParamRef.Selector
|
||||
if v1beta1binding.Spec.ParamRef != nil {
|
||||
paramRef.Name = v1beta1binding.Spec.ParamRef.Name
|
||||
paramRef.Namespace = v1beta1binding.Spec.ParamRef.Namespace
|
||||
if v1beta1binding.Spec.ParamRef.Selector != nil {
|
||||
paramRef.Selector = v1beta1binding.Spec.ParamRef.Selector
|
||||
} else {
|
||||
paramRef.Selector = ¶mSelector
|
||||
}
|
||||
paramRef.ParameterNotFoundAction = (*admissionregistrationv1.ParameterNotFoundActionType)(v1alpha1binding.Spec.ParamRef.ParameterNotFoundAction)
|
||||
paramRef.ParameterNotFoundAction = (*admissionregistrationv1.ParameterNotFoundActionType)(v1beta1binding.Spec.ParamRef.ParameterNotFoundAction)
|
||||
}
|
||||
|
||||
v1beta1binding := admissionregistrationv1.ValidatingAdmissionPolicyBinding{
|
||||
v1binding := admissionregistrationv1.ValidatingAdmissionPolicyBinding{
|
||||
Spec: admissionregistrationv1.ValidatingAdmissionPolicyBindingSpec{
|
||||
PolicyName: v1alpha1binding.Spec.PolicyName,
|
||||
PolicyName: v1beta1binding.Spec.PolicyName,
|
||||
ParamRef: ¶mRef,
|
||||
MatchResources: &admissionregistrationv1.MatchResources{
|
||||
NamespaceSelector: &namespaceSelector,
|
||||
|
@ -75,63 +75,63 @@ func ConvertValidatingAdmissionPolicyBinding(v1alpha1binding admissionregistrati
|
|||
ExcludeResourceRules: convertRules(excludeResourceRules),
|
||||
MatchPolicy: (*admissionregistrationv1.MatchPolicyType)(matchPolicy),
|
||||
},
|
||||
ValidationActions: convertValidationActions(v1alpha1binding.Spec.ValidationActions),
|
||||
ValidationActions: convertValidationActions(v1beta1binding.Spec.ValidationActions),
|
||||
},
|
||||
}
|
||||
return v1beta1binding
|
||||
return v1binding
|
||||
}
|
||||
|
||||
func convertRules(v1alpha1rules []admissionregistrationv1alpha1.NamedRuleWithOperations) []admissionregistrationv1.NamedRuleWithOperations {
|
||||
v1beta1rules := make([]admissionregistrationv1.NamedRuleWithOperations, 0, len(v1alpha1rules))
|
||||
for _, r := range v1alpha1rules {
|
||||
v1beta1rules = append(v1beta1rules, admissionregistrationv1.NamedRuleWithOperations(r))
|
||||
func convertRules(v1beta1rules []admissionregistrationv1beta1.NamedRuleWithOperations) []admissionregistrationv1.NamedRuleWithOperations {
|
||||
v1rules := make([]admissionregistrationv1.NamedRuleWithOperations, 0, len(v1beta1rules))
|
||||
for _, r := range v1beta1rules {
|
||||
v1rules = append(v1rules, admissionregistrationv1.NamedRuleWithOperations(r))
|
||||
}
|
||||
return v1beta1rules
|
||||
return v1rules
|
||||
}
|
||||
|
||||
func convertValidations(v1alpha1validations []admissionregistrationv1alpha1.Validation) []admissionregistrationv1.Validation {
|
||||
v1beta1validations := make([]admissionregistrationv1.Validation, 0, len(v1alpha1validations))
|
||||
for _, v := range v1alpha1validations {
|
||||
v1beta1validations = append(v1beta1validations, admissionregistrationv1.Validation(v))
|
||||
func convertValidations(v1beta1validations []admissionregistrationv1beta1.Validation) []admissionregistrationv1.Validation {
|
||||
v1validations := make([]admissionregistrationv1.Validation, 0, len(v1beta1validations))
|
||||
for _, v := range v1beta1validations {
|
||||
v1validations = append(v1validations, admissionregistrationv1.Validation(v))
|
||||
}
|
||||
return v1beta1validations
|
||||
return v1validations
|
||||
}
|
||||
|
||||
func convertAuditAnnotations(v1alpha1auditanns []admissionregistrationv1alpha1.AuditAnnotation) []admissionregistrationv1.AuditAnnotation {
|
||||
v1beta1auditanns := make([]admissionregistrationv1.AuditAnnotation, 0, len(v1alpha1auditanns))
|
||||
for _, a := range v1alpha1auditanns {
|
||||
v1beta1auditanns = append(v1beta1auditanns, admissionregistrationv1.AuditAnnotation(a))
|
||||
func convertAuditAnnotations(v1beta1auditanns []admissionregistrationv1beta1.AuditAnnotation) []admissionregistrationv1.AuditAnnotation {
|
||||
v1auditanns := make([]admissionregistrationv1.AuditAnnotation, 0, len(v1beta1auditanns))
|
||||
for _, a := range v1beta1auditanns {
|
||||
v1auditanns = append(v1auditanns, admissionregistrationv1.AuditAnnotation(a))
|
||||
}
|
||||
return v1beta1auditanns
|
||||
return v1auditanns
|
||||
}
|
||||
|
||||
func convertMatchConditions(v1alpha1conditions []admissionregistrationv1alpha1.MatchCondition) []admissionregistrationv1.MatchCondition {
|
||||
v1beta1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1alpha1conditions))
|
||||
for _, m := range v1alpha1conditions {
|
||||
v1beta1conditions = append(v1beta1conditions, admissionregistrationv1.MatchCondition(m))
|
||||
}
|
||||
return v1beta1conditions
|
||||
}
|
||||
|
||||
func convertVariables(v1alpha1variables []admissionregistrationv1alpha1.Variable) []admissionregistrationv1.Variable {
|
||||
v1beta1variables := make([]admissionregistrationv1.Variable, 0, len(v1alpha1variables))
|
||||
for _, v := range v1alpha1variables {
|
||||
v1beta1variables = append(v1beta1variables, admissionregistrationv1.Variable(v))
|
||||
}
|
||||
return v1beta1variables
|
||||
}
|
||||
|
||||
func convertValidationActions(v1alpha1actions []admissionregistrationv1alpha1.ValidationAction) []admissionregistrationv1.ValidationAction {
|
||||
v1beta1actions := make([]admissionregistrationv1.ValidationAction, 0, len(v1alpha1actions))
|
||||
for _, a := range v1alpha1actions {
|
||||
v1beta1actions = append(v1beta1actions, admissionregistrationv1.ValidationAction(a))
|
||||
}
|
||||
return v1beta1actions
|
||||
}
|
||||
|
||||
func ConvertMatchConditionsV1(v1alpha1conditions []admissionregistrationv1alpha1.MatchCondition) []admissionregistrationv1.MatchCondition {
|
||||
v1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1alpha1conditions))
|
||||
for _, m := range v1alpha1conditions {
|
||||
func convertMatchConditions(v1beta1conditions []admissionregistrationv1beta1.MatchCondition) []admissionregistrationv1.MatchCondition {
|
||||
v1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1beta1conditions))
|
||||
for _, m := range v1beta1conditions {
|
||||
v1conditions = append(v1conditions, admissionregistrationv1.MatchCondition(m))
|
||||
}
|
||||
return v1conditions
|
||||
}
|
||||
|
||||
func convertVariables(v1beta1variables []admissionregistrationv1beta1.Variable) []admissionregistrationv1.Variable {
|
||||
v1variables := make([]admissionregistrationv1.Variable, 0, len(v1beta1variables))
|
||||
for _, v := range v1beta1variables {
|
||||
v1variables = append(v1variables, admissionregistrationv1.Variable(v))
|
||||
}
|
||||
return v1variables
|
||||
}
|
||||
|
||||
func convertValidationActions(v1beta1actions []admissionregistrationv1beta1.ValidationAction) []admissionregistrationv1.ValidationAction {
|
||||
v1actions := make([]admissionregistrationv1.ValidationAction, 0, len(v1beta1actions))
|
||||
for _, a := range v1beta1actions {
|
||||
v1actions = append(v1actions, admissionregistrationv1.ValidationAction(a))
|
||||
}
|
||||
return v1actions
|
||||
}
|
||||
|
||||
func ConvertMatchConditionsV1(v1beta1conditions []admissionregistrationv1beta1.MatchCondition) []admissionregistrationv1.MatchCondition {
|
||||
v1conditions := make([]admissionregistrationv1.MatchCondition, 0, len(v1beta1conditions))
|
||||
for _, m := range v1beta1conditions {
|
||||
v1conditions = append(v1conditions, admissionregistrationv1.MatchCondition(m))
|
||||
}
|
||||
return v1conditions
|
||||
|
|
|
@ -30,7 +30,7 @@ import (
|
|||
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
vaputils "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
|
||||
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
|
||||
admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
|
@ -470,7 +470,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
|||
}
|
||||
|
||||
// build Kubernetes ValidatingAdmissionPolicy
|
||||
vap := &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
|
||||
vap := &admissionregistrationv1beta1.ValidatingAdmissionPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: policy.GetName(),
|
||||
},
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
kind: Cluster
|
||||
apiVersion: kind.x-k8s.io/v1alpha4
|
||||
featureGates:
|
||||
ValidatingAdmissionPolicy: true
|
||||
runtimeConfig:
|
||||
admissionregistration.k8s.io/v1alpha1: true
|
||||
kubeadmConfigPatches:
|
||||
- |-
|
||||
kind: ClusterConfiguration
|
||||
controllerManager:
|
||||
extraArgs:
|
||||
bind-address: 0.0.0.0
|
||||
etcd:
|
||||
local:
|
||||
extraArgs:
|
||||
listen-metrics-urls: http://0.0.0.0:2382
|
||||
scheduler:
|
||||
extraArgs:
|
||||
bind-address: 0.0.0.0
|
||||
- |-
|
||||
kind: KubeProxyConfiguration
|
||||
metricsBindAddress: 0.0.0.0
|
||||
nodes:
|
||||
- role: control-plane
|
||||
kubeadmConfigPatches:
|
||||
- |-
|
||||
kind: InitConfiguration
|
||||
nodeRegistration:
|
||||
kubeletExtraArgs:
|
||||
node-labels: "ingress-ready=true"
|
||||
extraPortMappings:
|
||||
- containerPort: 80
|
||||
hostPort: 80
|
||||
protocol: TCP
|
||||
- containerPort: 443
|
||||
hostPort: 443
|
||||
protocol: TCP
|
||||
- role: worker
|
||||
- role: worker
|
||||
- role: worker
|
|
@ -4,7 +4,6 @@ featureGates:
|
|||
ValidatingAdmissionPolicy: true
|
||||
runtimeConfig:
|
||||
admissionregistration.k8s.io/v1beta1: true
|
||||
admissionregistration.k8s.io/v1alpha1: true
|
||||
kubeadmConfigPatches:
|
||||
- |-
|
||||
kind: ClusterConfiguration
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "chech-deployment-labels"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "chech-deployment-replicas"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "disallow-host-path"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "disallow-host-path"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: disallow-host-path
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
labels:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||||
kind: ValidatingAdmissionPolicyBinding
|
||||
metadata:
|
||||
labels:
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue