mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-21 07:12:42 +00:00
Code Activity

fix: autogen status for ivpol (#12431)

Browse source 
* feat: enable mutating webhook for ivpol

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: add objects to payload

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: add chainsaw test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: add update codegen

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: propagate policy response to admission reponse

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: update chainsaw tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: ivpol autogen meta

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2025-03-18 18:40:21 +08:00 committed by GitHub
parent c0d7332d14
commit c0ab93b95b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
69 changed files with 1106 additions and 622 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
api/policies.kyverno.io/v1alpha1/imageverification_policy.go
View file

@ -16,7 +16,7 @@ import (
// +kubebuilder:subresource:status
// +kubebuilder:resource:path=imageverificationpolicies,scope="Cluster",shortName=ivpol,categories=kyverno
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.ready`
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditionStatus.ready`
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type ImageVerificationPolicy struct {
metav1.TypeMeta `json:",inline"`
@ -28,7 +28,8 @@ type ImageVerificationPolicy struct {
}
type IvpolStatus struct {
ConditionStatus `json:"conditionStatus,inline"`
// +optional
ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"`
// +optional
Autogen IvpolAutogenStatus `json:"autogen,omitempty"`
@ -40,8 +41,8 @@ type IvpolAutogenStatus struct {
}
type IvpolAutogen struct {
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec ImageVerificationPolicySpec `json:"spec"`
Name string `json:"name,omitempty"`
Spec ImageVerificationPolicySpec `json:"spec"`
}
func (s *ImageVerificationPolicy) GetName() string {

5
api/policies.kyverno.io/v1alpha1/validating_policy.go
View file

@ -11,7 +11,7 @@ import (
// +kubebuilder:subresource:status
// +kubebuilder:resource:path=validatingpolicies,scope="Cluster",shortName=vpol,categories=kyverno
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.ready`
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditionStatus.ready`
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type ValidatingPolicy struct {
@ -24,7 +24,8 @@ type ValidatingPolicy struct {
}
type VpolStatus struct {
ConditionStatus `json:"conditionStatus,inline"`
// +optional
ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"`
// +optional
Autogen AutogenStatus `json:"autogen"`

1
api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
View file

@ -669,7 +669,6 @@ func (in *InToto) DeepCopy() *InToto {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IvpolAutogen) DeepCopyInto(out *IvpolAutogen) {
*out = *in
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
return
}

144
charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml
View file

@ -28,7 +28,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -961,8 +961,8 @@ spec:
rules:
items:
properties:
metadata:
type: object
name:
type: string
spec:
description: ImageVerificationPolicySpec is the specification
of the desired behavior of the ImageVerificationPolicy.
@ -1907,72 +1907,78 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
type: object
required:
- spec

140
charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -28,7 +28,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -1264,76 +1264,82 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
generated:
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
is generated from the policy or not
type: boolean
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
required:
- spec

144
cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_imageverificationpolicies.yaml
View file

@ -22,7 +22,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -955,8 +955,8 @@ spec:
rules:
items:
properties:
metadata:
type: object
name:
type: string
spec:
description: ImageVerificationPolicySpec is the specification
of the desired behavior of the ImageVerificationPolicy.
@ -1901,72 +1901,78 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
type: object
required:
- spec

140
cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
View file

@ -22,7 +22,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -1258,76 +1258,82 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
generated:
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
is generated from the policy or not
type: boolean
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
required:
- spec

144
config/crds/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml
View file

@ -22,7 +22,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -955,8 +955,8 @@ spec:
rules:
items:
properties:
metadata:
type: object
name:
type: string
spec:
description: ImageVerificationPolicySpec is the specification
of the desired behavior of the ImageVerificationPolicy.
@ -1901,72 +1901,78 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
type: object
required:
- spec

140
config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -22,7 +22,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -1258,76 +1258,82 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
generated:
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
is generated from the policy or not
type: boolean
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
required:
- spec

284
config/install-latest-testing.yaml
View file

@ -48623,7 +48623,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -49556,8 +49556,8 @@ spec:
rules:
items:
properties:
metadata:
type: object
name:
type: string
spec:
description: ImageVerificationPolicySpec is the specification
of the desired behavior of the ImageVerificationPolicy.
@ -50502,72 +50502,78 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
type: object
required:
- spec
@ -50607,7 +50613,7 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.ready
- jsonPath: .status.conditionStatus.ready
name: READY
type: string
name: v1alpha1
@ -51843,76 +51849,82 @@ spec:
type: object
type: array
type: object
conditions:
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
conditionStatus:
description: ConditionStatus is the shared status across all policy
types
properties:
conditions:
items:
description: Condition contains details for one aspect of the
current state of this API Resource.
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
generated:
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
is generated from the policy or not
type: boolean
message:
description: |-
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
type: string
ready:
description: |-
The ready of a policy is a high-level summary of where the policy is in its lifecycle.
The conditions array, the reason and message fields contain more detail about the policy's status.
type: boolean
type: object
required:
- spec

16
docs/user/crd/index.html
View file

@ -12053,16 +12053,12 @@ string
<tbody>
<tr>
<td>
<code>metadata</code><br/>
<code>name</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
Kubernetes meta/v1.ObjectMeta
</a>
string
</em>
</td>
<td>
Refer to the Kubernetes API documentation for the fields of the
<code>metadata</code> field.
</td>
</tr>
<tr>
@ -12367,9 +12363,7 @@ ConditionStatus
</em>
</td>
<td>
<p>
(Members of <code>conditionStatus</code> are embedded into this type.)
</p>
<em>(Optional)</em>
</td>
</tr>
<tr>
@ -12995,9 +12989,7 @@ ConditionStatus
</em>
</td>
<td>
<p>
(Members of <code>conditionStatus</code> are embedded into this type.)
</p>
<em>(Optional)</em>
</td>
</tr>
<tr>

5
pkg/cel/autogen/ivpol.go
View file

@ -47,12 +47,11 @@ func autogenIvPols(ivpol *policiesv1alpha1.ImageVerificationPolicy, controllerSe
policy = &policiesv1alpha1.IvpolAutogen{}
copied := ivpol.DeepCopy()
policy.ObjectMeta = copied.ObjectMeta
policy.Spec = copied.Spec
if controllers == "cronjobs" {
policy.Name = "autogen-cronjobs-" + policy.Name
policy.Name = "autogen-cronjobs-" + ivpol.GetName()
} else {
policy.Name = "autogen-" + policy.Name
policy.Name = "autogen-" + ivpol.GetName()
}
operations := ivpol.Spec.MatchConstraints.ResourceRules[0].Operations
// create a resource rule for pod controllers

6
pkg/cel/engine/provider.go
View file

@ -300,13 +300,11 @@ func (r *ivpolpolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
}
for _, p := range autogeneratedIvPols {
namespacedName := types.NamespacedName{
Namespace: p.Namespace,
Name: p.Name,
Name: p.Name,
}
r.policies[namespacedName.String()] = CompiledImageVerificationPolicy{
Policy: &policiesv1alpha1.ImageVerificationPolicy{
ObjectMeta: p.ObjectMeta,
Spec: p.Spec,
Spec: p.Spec,
},
Actions: actions,
}

3
pkg/controllers/policystatus/controller.go
View file

@ -103,7 +103,7 @@ func (c controller) reconcile(ctx context.Context, logger logr.Logger, key strin
return nil
}
func (c controller) reconcileConditions(ctx context.Context, policy engineapi.GenericPolicy) {
func (c controller) reconcileConditions(ctx context.Context, policy engineapi.GenericPolicy) *policiesv1alpha1.ConditionStatus {
var key string
var matchConstraints admissionregistrationv1.MatchResources
status := &policiesv1alpha1.ConditionStatus{}
@ -154,4 +154,5 @@ func (c controller) reconcileConditions(ctx context.Context, policy engineapi.Ge
} else {
status.SetReadyByCondition(policiesv1alpha1.PolicyConditionTypeRBACPermissionsGranted, metav1.ConditionTrue, "Policy is ready for reporting.")
}
return status
}

3
pkg/controllers/policystatus/ivpol.go
View file

@ -15,7 +15,7 @@ import (
func (c controller) updateIvpolStatus(ctx context.Context, ivpol *policiesv1alpha1.ImageVerificationPolicy) error {
updateFunc := func(ivpol *policiesv1alpha1.ImageVerificationPolicy) error {
p := engineapi.NewImageVerificationPolicy(ivpol)
c.reconcileConditions(ctx, p)
conditionStatus := c.reconcileConditions(ctx, p)
status := ivpol.GetStatus()
status.Autogen.Rules = nil
@ -27,7 +27,6 @@ func (c controller) updateIvpolStatus(ctx context.Context, ivpol *policiesv1alph
status.Autogen.Rules = append(status.Autogen.Rules, autogeneratedIvPols...)
ready := true
conditionStatus := status.GetConditionStatus()
for _, condition := range conditionStatus.Conditions {
if condition.Status != metav1.ConditionTrue {
ready = false

3
pkg/controllers/policystatus/vpol.go
View file

@ -14,7 +14,7 @@ import (
func (c controller) updateVpolStatus(ctx context.Context, vpol *policiesv1alpha1.ValidatingPolicy) error {
updateFunc := func(vpol *policiesv1alpha1.ValidatingPolicy) error {
p := engineapi.NewValidatingPolicy(vpol)
c.reconcileConditions(ctx, p)
conditionStatus := c.reconcileConditions(ctx, p)
status := vpol.GetStatus()
status.Autogen.Rules = nil
@ -22,7 +22,6 @@ func (c controller) updateVpolStatus(ctx context.Context, vpol *policiesv1alpha1
status.Autogen.Rules = append(status.Autogen.Rules, rules...)
ready := true
conditionStatus := status.GetConditionStatus()
for _, condition := range conditionStatus.Conditions {
if condition.Status != metav1.ConditionTrue {
ready = false

4
test/conformance/chainsaw/imageverificationpolicies/match-conditions/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create bad pod
try:
- create:

17
test/conformance/chainsaw/imageverificationpolicies/match-conditions/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ImageVerificationPolicy
metadata:
name: ivpol-sample
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: check autogen policy
try:
- assert:

17
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: check autogen policy
try:
- assert:

17
test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/autogen/none/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 2s
- assert:
file: policy-assert.yaml
- name: check autogen policy
try:
- assert:

17
test/conformance/chainsaw/validating-policies/autogen/none/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/autogen/should-autogen/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 2s
- assert:
file: policy-assert.yaml
- name: check autogen policy
try:
- assert:

17
test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 2s
- assert:
file: policy-assert.yaml
- name: check autogen policy
try:
- assert:

16
test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy-assert.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: 'Policy is not ready for reporting, missing permissions: get /v1,
Resource=deployments: ; list /v1, Resource=deployments: ; watch /v1, Resource=deployments: .'
reason: Failed
status: "False"
type: RBACPermissionsGranted

4
test/conformance/chainsaw/validating-policies/context/configmap/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create configmap
try:
- create:

17
test/conformance/chainsaw/validating-policies/context/configmap/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/context/globalreference/chainsaw-test.yaml
View file

@ -17,8 +17,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 3s
- assert:
file: policy-assert.yaml
- try:
- apply:
file: new-deployment.yaml

17
test/conformance/chainsaw/validating-policies/context/globalreference/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: cpol-apicall-correct
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/context/image-data/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

2
test/conformance/chainsaw/validating-policies/context/image-data/deployment.yaml
View file

@ -1,7 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
name: deployment-image-data
labels:
app: nginx
spec:

17
test/conformance/chainsaw/validating-policies/context/image-data/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/context/imagereference/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/context/imagereference/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-images
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/context/resource/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create pod
try:
- create:

17
test/conformance/chainsaw/validating-policies/context/resource/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml
View file

@ -10,8 +10,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/report-message-exp/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/report/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/report/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-actions/audit/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-actions/audit/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-actions/deny/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-actions/deny/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-actions/none/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-actions/none/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-actions/warn/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-actions/warn/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-rules/accept/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-rules/accept/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-rules/reject/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create deployment
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-rules/reject/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

4
test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/chainsaw-test.yaml
View file

@ -9,8 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- sleep:
duration: 10s
- assert:
file: policy-assert.yaml
- name: create good pod
try:
- create:

17
test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

2
test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/chainsaw-test.yaml
View file

@ -9,6 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: check webhooks
try:
- assert:

17
test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: disallow-privilege-escalation
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true

2
test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/chainsaw-test.yaml
View file

@ -9,6 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: check webhooks
try:
- assert:

17
test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: 'Policy is not ready for reporting, missing permissions: get apps/v1,
Resource=configmaps: ; list apps/v1, Resource=configmaps: ; watch apps/v1,
Resource=configmaps: .'
reason: Failed
status: "False"
type: RBACPermissionsGranted

2
test/conformance/chainsaw/validating-policies/webhook-configuration/single/chainsaw-test.yaml
View file

@ -9,6 +9,8 @@ spec:
try:
- create:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: check webhooks
try:
- assert:

17
test/conformance/chainsaw/validating-policies/webhook-configuration/single/policy-assert.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: policies.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-deployment-labels
status:
conditionStatus:
conditions:
- message: Webhook configured.
reason: Succeeded
status: "True"
type: WebhookConfigured
- message: Policy is ready for reporting.
reason: Succeeded
status: "True"
type: RBACPermissionsGranted
message: ""
ready: true