From c0ab93b95b35ef6376b03e571a4f5943cc8d33a9 Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 18 Mar 2025 18:40:21 +0800 Subject: [PATCH] fix: autogen status for ivpol (#12431) * feat: enable mutating webhook for ivpol Signed-off-by: ShutingZhao * fix: unit tests Signed-off-by: ShutingZhao * fix: add objects to payload Signed-off-by: ShutingZhao * chore: add chainsaw test Signed-off-by: ShutingZhao * chore: add update codegen Signed-off-by: ShutingZhao * fix: propagate policy response to admission reponse Signed-off-by: ShutingZhao * chore: update chainsaw tests Signed-off-by: ShutingZhao * fix: ivpol autogen meta Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- .../v1alpha1/imageverification_policy.go | 9 +- .../v1alpha1/validating_policy.go | 5 +- .../v1alpha1/zz_generated.deepcopy.go | 1 - ....kyverno.io_imageverificationpolicies.yaml | 144 ++++----- ...olicies.kyverno.io_validatingpolicies.yaml | 140 ++++----- ....kyverno.io_imageverificationpolicies.yaml | 144 ++++----- ...olicies.kyverno.io_validatingpolicies.yaml | 140 ++++----- ....kyverno.io_imageverificationpolicies.yaml | 144 ++++----- ...olicies.kyverno.io_validatingpolicies.yaml | 140 ++++----- config/install-latest-testing.yaml | 284 +++++++++--------- docs/user/crd/index.html | 16 +- pkg/cel/autogen/ivpol.go | 5 +- pkg/cel/engine/provider.go | 6 +- pkg/controllers/policystatus/controller.go | 3 +- pkg/controllers/policystatus/ivpol.go | 3 +- pkg/controllers/policystatus/vpol.go | 3 +- .../match-conditions/chainsaw-test.yaml | 4 +- .../match-conditions/policy-assert.yaml | 17 ++ .../chainsaw-test.yaml | 4 +- .../policy-assert.yaml | 17 ++ .../chainsaw-test.yaml | 4 +- .../policy-assert.yaml | 17 ++ .../autogen/none/chainsaw-test.yaml | 4 +- .../autogen/none/policy-assert.yaml | 17 ++ .../autogen/should-autogen/chainsaw-test.yaml | 4 +- .../autogen/should-autogen/policy-assert.yaml | 17 ++ .../should-not-autogen/chainsaw-test.yaml | 4 +- .../should-not-autogen/policy-assert.yaml | 16 + .../context/configmap/chainsaw-test.yaml | 4 +- .../context/configmap/policy-assert.yaml | 17 ++ .../globalreference/chainsaw-test.yaml | 4 +- .../globalreference/policy-assert.yaml | 17 ++ .../context/image-data/chainsaw-test.yaml | 4 +- .../context/image-data/deployment.yaml | 2 +- .../context/image-data/policy-assert.yaml | 17 ++ .../context/imagereference/chainsaw-test.yaml | 4 +- .../context/imagereference/policy-assert.yaml | 17 ++ .../context/resource/chainsaw-test.yaml | 4 +- .../context/resource/policy-assert.yaml | 17 ++ .../failure-policy/default/chainsaw-test.yaml | 4 +- .../failure-policy/default/policy-assert.yaml | 17 ++ .../failure-policy/fail/chainsaw-test.yaml | 4 +- .../failure-policy/fail/policy-assert.yaml | 17 ++ .../failure-policy/ignore/chainsaw-test.yaml | 4 +- .../failure-policy/ignore/policy-assert.yaml | 17 ++ .../report-message-exp/chainsaw-test.yaml | 4 +- .../report-message-exp/policy-assert.yaml | 17 ++ .../report/chainsaw-test.yaml | 4 +- .../report/policy-assert.yaml | 17 ++ .../audit/chainsaw-test.yaml | 4 +- .../audit/policy-assert.yaml | 17 ++ .../deny/chainsaw-test.yaml | 4 +- .../deny/policy-assert.yaml | 17 ++ .../none/chainsaw-test.yaml | 4 +- .../none/policy-assert.yaml | 17 ++ .../warn/chainsaw-test.yaml | 4 +- .../warn/policy-assert.yaml | 17 ++ .../accept/chainsaw-test.yaml | 4 +- .../accept/policy-assert.yaml | 17 ++ .../reject/chainsaw-test.yaml | 4 +- .../reject/policy-assert.yaml | 17 ++ .../with-match-conditions/chainsaw-test.yaml | 4 +- .../with-match-conditions/policy-assert.yaml | 17 ++ .../match-conditions/chainsaw-test.yaml | 2 + .../match-conditions/policy-assert.yaml | 17 ++ .../multiple/chainsaw-test.yaml | 2 + .../multiple/policy-assert.yaml | 17 ++ .../single/chainsaw-test.yaml | 2 + .../single/policy-assert.yaml | 17 ++ 69 files changed, 1106 insertions(+), 622 deletions(-) create mode 100644 test/conformance/chainsaw/imageverificationpolicies/match-conditions/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/autogen/none/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/context/configmap/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/context/globalreference/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/context/image-data/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/context/imagereference/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/context/resource/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/report-message-exp/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/report/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-actions/audit/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-actions/deny/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-actions/none/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-actions/warn/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-rules/accept/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-rules/reject/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/policy-assert.yaml create mode 100644 test/conformance/chainsaw/validating-policies/webhook-configuration/single/policy-assert.yaml diff --git a/api/policies.kyverno.io/v1alpha1/imageverification_policy.go b/api/policies.kyverno.io/v1alpha1/imageverification_policy.go index f5a4c0a26b..7587911343 100644 --- a/api/policies.kyverno.io/v1alpha1/imageverification_policy.go +++ b/api/policies.kyverno.io/v1alpha1/imageverification_policy.go @@ -16,7 +16,7 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:resource:path=imageverificationpolicies,scope="Cluster",shortName=ivpol,categories=kyverno // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.ready` +// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditionStatus.ready` // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type ImageVerificationPolicy struct { metav1.TypeMeta `json:",inline"` @@ -28,7 +28,8 @@ type ImageVerificationPolicy struct { } type IvpolStatus struct { - ConditionStatus `json:"conditionStatus,inline"` + // +optional + ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"` // +optional Autogen IvpolAutogenStatus `json:"autogen,omitempty"` @@ -40,8 +41,8 @@ type IvpolAutogenStatus struct { } type IvpolAutogen struct { - metav1.ObjectMeta `json:"metadata,omitempty"` - Spec ImageVerificationPolicySpec `json:"spec"` + Name string `json:"name,omitempty"` + Spec ImageVerificationPolicySpec `json:"spec"` } func (s *ImageVerificationPolicy) GetName() string { diff --git a/api/policies.kyverno.io/v1alpha1/validating_policy.go b/api/policies.kyverno.io/v1alpha1/validating_policy.go index f029d6087e..6432ca9868 100644 --- a/api/policies.kyverno.io/v1alpha1/validating_policy.go +++ b/api/policies.kyverno.io/v1alpha1/validating_policy.go @@ -11,7 +11,7 @@ import ( // +kubebuilder:subresource:status // +kubebuilder:resource:path=validatingpolicies,scope="Cluster",shortName=vpol,categories=kyverno // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp" -// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.ready` +// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditionStatus.ready` // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object type ValidatingPolicy struct { @@ -24,7 +24,8 @@ type ValidatingPolicy struct { } type VpolStatus struct { - ConditionStatus `json:"conditionStatus,inline"` + // +optional + ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"` // +optional Autogen AutogenStatus `json:"autogen"` diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go index 58c5636daa..b2e341fe6e 100644 --- a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go +++ b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go @@ -669,7 +669,6 @@ func (in *InToto) DeepCopy() *InToto { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IvpolAutogen) DeepCopyInto(out *IvpolAutogen) { *out = *in - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) return } diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml index f718b8ce1e..0397f4b4a4 100644 --- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml @@ -28,7 +28,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -961,8 +961,8 @@ spec: rules: items: properties: - metadata: - type: object + name: + type: string spec: description: ImageVerificationPolicySpec is the specification of the desired behavior of the ImageVerificationPolicy. @@ -1907,72 +1907,78 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object type: object required: - spec diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index d6244da64b..7c1b8e71d4 100644 --- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -28,7 +28,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -1264,76 +1264,82 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object generated: description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean type: object required: - spec diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_imageverificationpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_imageverificationpolicies.yaml index e29d75a6bd..32f3bf709b 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_imageverificationpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_imageverificationpolicies.yaml @@ -22,7 +22,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -955,8 +955,8 @@ spec: rules: items: properties: - metadata: - type: object + name: + type: string spec: description: ImageVerificationPolicySpec is the specification of the desired behavior of the ImageVerificationPolicy. @@ -1901,72 +1901,78 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object type: object required: - spec diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml index 49bd1bce66..53efb791f1 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml @@ -22,7 +22,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -1258,76 +1258,82 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object generated: description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean type: object required: - spec diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml index e29d75a6bd..32f3bf709b 100644 --- a/config/crds/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml +++ b/config/crds/policies.kyverno.io/policies.kyverno.io_imageverificationpolicies.yaml @@ -22,7 +22,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -955,8 +955,8 @@ spec: rules: items: properties: - metadata: - type: object + name: + type: string spec: description: ImageVerificationPolicySpec is the specification of the desired behavior of the ImageVerificationPolicy. @@ -1901,72 +1901,78 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object type: object required: - spec diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index 49bd1bce66..53efb791f1 100644 --- a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -22,7 +22,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -1258,76 +1258,82 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object generated: description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean type: object required: - spec diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index dee003fe55..85c0bf8e69 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -48623,7 +48623,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -49556,8 +49556,8 @@ spec: rules: items: properties: - metadata: - type: object + name: + type: string spec: description: ImageVerificationPolicySpec is the specification of the desired behavior of the ImageVerificationPolicy. @@ -50502,72 +50502,78 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object type: object required: - spec @@ -50607,7 +50613,7 @@ spec: - jsonPath: .metadata.creationTimestamp name: AGE type: date - - jsonPath: .status.ready + - jsonPath: .status.conditionStatus.ready name: READY type: string name: v1alpha1 @@ -51843,76 +51849,82 @@ spec: type: object type: array type: object - conditions: - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array + conditionStatus: + description: ConditionStatus is the shared status across all policy + types + properties: + conditions: + items: + description: Condition contains details for one aspect of the + current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + description: |- + Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy + It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. + type: string + ready: + description: |- + The ready of a policy is a high-level summary of where the policy is in its lifecycle. + The conditions array, the reason and message fields contain more detail about the policy's status. + type: boolean + type: object generated: description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not type: boolean - message: - description: |- - Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy - It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. - type: string - ready: - description: |- - The ready of a policy is a high-level summary of where the policy is in its lifecycle. - The conditions array, the reason and message fields contain more detail about the policy's status. - type: boolean type: object required: - spec diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index cb58c8d079..88707e6963 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -12053,16 +12053,12 @@ string -metadata
+name
- -Kubernetes meta/v1.ObjectMeta - +string -Refer to the Kubernetes API documentation for the fields of the -metadata field. @@ -12367,9 +12363,7 @@ ConditionStatus -

-(Members of conditionStatus are embedded into this type.) -

+(Optional) @@ -12995,9 +12989,7 @@ ConditionStatus -

-(Members of conditionStatus are embedded into this type.) -

+(Optional) diff --git a/pkg/cel/autogen/ivpol.go b/pkg/cel/autogen/ivpol.go index 8913e24856..3dd27c70f1 100644 --- a/pkg/cel/autogen/ivpol.go +++ b/pkg/cel/autogen/ivpol.go @@ -47,12 +47,11 @@ func autogenIvPols(ivpol *policiesv1alpha1.ImageVerificationPolicy, controllerSe policy = &policiesv1alpha1.IvpolAutogen{} copied := ivpol.DeepCopy() - policy.ObjectMeta = copied.ObjectMeta policy.Spec = copied.Spec if controllers == "cronjobs" { - policy.Name = "autogen-cronjobs-" + policy.Name + policy.Name = "autogen-cronjobs-" + ivpol.GetName() } else { - policy.Name = "autogen-" + policy.Name + policy.Name = "autogen-" + ivpol.GetName() } operations := ivpol.Spec.MatchConstraints.ResourceRules[0].Operations // create a resource rule for pod controllers diff --git a/pkg/cel/engine/provider.go b/pkg/cel/engine/provider.go index 3decdccacf..cfb99addf9 100644 --- a/pkg/cel/engine/provider.go +++ b/pkg/cel/engine/provider.go @@ -300,13 +300,11 @@ func (r *ivpolpolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request) } for _, p := range autogeneratedIvPols { namespacedName := types.NamespacedName{ - Namespace: p.Namespace, - Name: p.Name, + Name: p.Name, } r.policies[namespacedName.String()] = CompiledImageVerificationPolicy{ Policy: &policiesv1alpha1.ImageVerificationPolicy{ - ObjectMeta: p.ObjectMeta, - Spec: p.Spec, + Spec: p.Spec, }, Actions: actions, } diff --git a/pkg/controllers/policystatus/controller.go b/pkg/controllers/policystatus/controller.go index ad54ff5dc3..2ec03b8151 100644 --- a/pkg/controllers/policystatus/controller.go +++ b/pkg/controllers/policystatus/controller.go @@ -103,7 +103,7 @@ func (c controller) reconcile(ctx context.Context, logger logr.Logger, key strin return nil } -func (c controller) reconcileConditions(ctx context.Context, policy engineapi.GenericPolicy) { +func (c controller) reconcileConditions(ctx context.Context, policy engineapi.GenericPolicy) *policiesv1alpha1.ConditionStatus { var key string var matchConstraints admissionregistrationv1.MatchResources status := &policiesv1alpha1.ConditionStatus{} @@ -154,4 +154,5 @@ func (c controller) reconcileConditions(ctx context.Context, policy engineapi.Ge } else { status.SetReadyByCondition(policiesv1alpha1.PolicyConditionTypeRBACPermissionsGranted, metav1.ConditionTrue, "Policy is ready for reporting.") } + return status } diff --git a/pkg/controllers/policystatus/ivpol.go b/pkg/controllers/policystatus/ivpol.go index ffb7a27bda..278c5f7b9f 100644 --- a/pkg/controllers/policystatus/ivpol.go +++ b/pkg/controllers/policystatus/ivpol.go @@ -15,7 +15,7 @@ import ( func (c controller) updateIvpolStatus(ctx context.Context, ivpol *policiesv1alpha1.ImageVerificationPolicy) error { updateFunc := func(ivpol *policiesv1alpha1.ImageVerificationPolicy) error { p := engineapi.NewImageVerificationPolicy(ivpol) - c.reconcileConditions(ctx, p) + conditionStatus := c.reconcileConditions(ctx, p) status := ivpol.GetStatus() status.Autogen.Rules = nil @@ -27,7 +27,6 @@ func (c controller) updateIvpolStatus(ctx context.Context, ivpol *policiesv1alph status.Autogen.Rules = append(status.Autogen.Rules, autogeneratedIvPols...) ready := true - conditionStatus := status.GetConditionStatus() for _, condition := range conditionStatus.Conditions { if condition.Status != metav1.ConditionTrue { ready = false diff --git a/pkg/controllers/policystatus/vpol.go b/pkg/controllers/policystatus/vpol.go index 9c63a1610e..b9ff7cfd96 100644 --- a/pkg/controllers/policystatus/vpol.go +++ b/pkg/controllers/policystatus/vpol.go @@ -14,7 +14,7 @@ import ( func (c controller) updateVpolStatus(ctx context.Context, vpol *policiesv1alpha1.ValidatingPolicy) error { updateFunc := func(vpol *policiesv1alpha1.ValidatingPolicy) error { p := engineapi.NewValidatingPolicy(vpol) - c.reconcileConditions(ctx, p) + conditionStatus := c.reconcileConditions(ctx, p) status := vpol.GetStatus() status.Autogen.Rules = nil @@ -22,7 +22,6 @@ func (c controller) updateVpolStatus(ctx context.Context, vpol *policiesv1alpha1 status.Autogen.Rules = append(status.Autogen.Rules, rules...) ready := true - conditionStatus := status.GetConditionStatus() for _, condition := range conditionStatus.Conditions { if condition.Status != metav1.ConditionTrue { ready = false diff --git a/test/conformance/chainsaw/imageverificationpolicies/match-conditions/chainsaw-test.yaml b/test/conformance/chainsaw/imageverificationpolicies/match-conditions/chainsaw-test.yaml index 345b51cf40..5ba9156b57 100755 --- a/test/conformance/chainsaw/imageverificationpolicies/match-conditions/chainsaw-test.yaml +++ b/test/conformance/chainsaw/imageverificationpolicies/match-conditions/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create bad pod try: - create: diff --git a/test/conformance/chainsaw/imageverificationpolicies/match-conditions/policy-assert.yaml b/test/conformance/chainsaw/imageverificationpolicies/match-conditions/policy-assert.yaml new file mode 100644 index 0000000000..c2f6e3a26f --- /dev/null +++ b/test/conformance/chainsaw/imageverificationpolicies/match-conditions/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ImageVerificationPolicy +metadata: + name: ivpol-sample +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/chainsaw-test.yaml index e6f2967dd1..d169f53a3a 100755 --- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: check autogen policy try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy-assert.yaml new file mode 100644 index 0000000000..f529a9d76b --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/chainsaw-test.yaml index e748f6f3ff..996da27b9c 100755 --- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: check autogen policy try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy-assert.yaml new file mode 100644 index 0000000000..f529a9d76b --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/autogen/none/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/autogen/none/chainsaw-test.yaml index 7e9c0086d4..38472362b5 100755 --- a/test/conformance/chainsaw/validating-policies/autogen/none/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/none/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 2s + - assert: + file: policy-assert.yaml - name: check autogen policy try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/autogen/none/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/autogen/none/policy-assert.yaml new file mode 100644 index 0000000000..f529a9d76b --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/autogen/none/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/chainsaw-test.yaml index 76728882f7..d0a26e52ee 100755 --- a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 2s + - assert: + file: policy-assert.yaml - name: check autogen policy try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy-assert.yaml new file mode 100644 index 0000000000..f529a9d76b --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/chainsaw-test.yaml index 623ed48005..1331df6cfd 100755 --- a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 2s + - assert: + file: policy-assert.yaml - name: check autogen policy try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy-assert.yaml new file mode 100644 index 0000000000..9dcd68e830 --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/autogen/should-not-autogen/policy-assert.yaml @@ -0,0 +1,16 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: 'Policy is not ready for reporting, missing permissions: get /v1, + Resource=deployments: ; list /v1, Resource=deployments: ; watch /v1, Resource=deployments: .' + reason: Failed + status: "False" + type: RBACPermissionsGranted \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/context/configmap/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/context/configmap/chainsaw-test.yaml index 24d61b7320..58c98a7435 100755 --- a/test/conformance/chainsaw/validating-policies/context/configmap/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/context/configmap/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create configmap try: - create: diff --git a/test/conformance/chainsaw/validating-policies/context/configmap/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/context/configmap/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/context/configmap/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/context/globalreference/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/context/globalreference/chainsaw-test.yaml index de0210c12e..81e7c38490 100755 --- a/test/conformance/chainsaw/validating-policies/context/globalreference/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/context/globalreference/chainsaw-test.yaml @@ -17,8 +17,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 3s + - assert: + file: policy-assert.yaml - try: - apply: file: new-deployment.yaml diff --git a/test/conformance/chainsaw/validating-policies/context/globalreference/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/context/globalreference/policy-assert.yaml new file mode 100644 index 0000000000..53c0851a61 --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/context/globalreference/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: cpol-apicall-correct +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/context/image-data/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/context/image-data/chainsaw-test.yaml index 9d0838e12d..08cdfe56da 100755 --- a/test/conformance/chainsaw/validating-policies/context/image-data/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/context/image-data/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/context/image-data/deployment.yaml b/test/conformance/chainsaw/validating-policies/context/image-data/deployment.yaml index cdd89bd495..b41db7f1e7 100644 --- a/test/conformance/chainsaw/validating-policies/context/image-data/deployment.yaml +++ b/test/conformance/chainsaw/validating-policies/context/image-data/deployment.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: deployment + name: deployment-image-data labels: app: nginx spec: diff --git a/test/conformance/chainsaw/validating-policies/context/image-data/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/context/image-data/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/context/image-data/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/context/imagereference/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/context/imagereference/chainsaw-test.yaml index 8386a1dec7..6714fade02 100755 --- a/test/conformance/chainsaw/validating-policies/context/imagereference/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/context/imagereference/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/context/imagereference/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/context/imagereference/policy-assert.yaml new file mode 100644 index 0000000000..7b0fdd2d0d --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/context/imagereference/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-images +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/context/resource/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/context/resource/chainsaw-test.yaml index 12ee8c7405..2923b5dd2b 100755 --- a/test/conformance/chainsaw/validating-policies/context/resource/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/context/resource/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create pod try: - create: diff --git a/test/conformance/chainsaw/validating-policies/context/resource/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/context/resource/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/context/resource/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/chainsaw-test.yaml index 5d5eb5c367..fa2c8cfc2c 100755 --- a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/default/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/chainsaw-test.yaml index f0b32af0f0..52bb96ad9f 100755 --- a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/fail/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/chainsaw-test.yaml index f1541b8db0..420c28dcb5 100755 --- a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/match-conditions/failure-policy/ignore/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml index 08461f5511..21b6c3da88 100644 --- a/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/report-message-exp/chainsaw-test.yaml @@ -10,8 +10,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/report-message-exp/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/report-message-exp/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/report-message-exp/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/report/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/report/chainsaw-test.yaml index a92daa4704..436a2e8284 100755 --- a/test/conformance/chainsaw/validating-policies/report/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/report/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/report/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/report/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/report/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/audit/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/audit/chainsaw-test.yaml index db811c84c5..4a40bd3fa5 100755 --- a/test/conformance/chainsaw/validating-policies/validation-actions/audit/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-actions/audit/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-actions/audit/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/deny/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/deny/chainsaw-test.yaml index 0be48926ab..9bafa9144a 100755 --- a/test/conformance/chainsaw/validating-policies/validation-actions/deny/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-actions/deny/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-actions/deny/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/none/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/none/chainsaw-test.yaml index cde11babc1..0718aac963 100755 --- a/test/conformance/chainsaw/validating-policies/validation-actions/none/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-actions/none/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/none/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/none/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-actions/none/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/warn/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/warn/chainsaw-test.yaml index bb4563f6cd..cf02f3df1e 100755 --- a/test/conformance/chainsaw/validating-policies/validation-actions/warn/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-actions/warn/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-actions/warn/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/accept/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/accept/chainsaw-test.yaml index f62adce759..995aa90a99 100755 --- a/test/conformance/chainsaw/validating-policies/validation-rules/accept/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-rules/accept/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-rules/accept/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/reject/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/reject/chainsaw-test.yaml index f6db8f3832..e36cc04c04 100755 --- a/test/conformance/chainsaw/validating-policies/validation-rules/reject/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-rules/reject/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create deployment try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-rules/reject/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/chainsaw-test.yaml index c4c2dd0e9c..d0493474aa 100755 --- a/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/chainsaw-test.yaml @@ -9,8 +9,8 @@ spec: try: - create: file: policy.yaml - - sleep: - duration: 10s + - assert: + file: policy-assert.yaml - name: create good pod try: - create: diff --git a/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/policy-assert.yaml new file mode 100644 index 0000000000..f529a9d76b --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/validation-rules/with-match-conditions/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/chainsaw-test.yaml index 16afc49b01..3b5509ba3e 100755 --- a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/chainsaw-test.yaml @@ -9,6 +9,8 @@ spec: try: - create: file: policy.yaml + - assert: + file: policy-assert.yaml - name: check webhooks try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/policy-assert.yaml new file mode 100644 index 0000000000..f529a9d76b --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/match-conditions/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: disallow-privilege-escalation +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/chainsaw-test.yaml index e48f0e8652..78ef7fab42 100755 --- a/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/chainsaw-test.yaml @@ -9,6 +9,8 @@ spec: try: - create: file: policy.yaml + - assert: + file: policy-assert.yaml - name: check webhooks try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/policy-assert.yaml new file mode 100644 index 0000000000..095d2c1d66 --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/multiple/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: 'Policy is not ready for reporting, missing permissions: get apps/v1, + Resource=configmaps: ; list apps/v1, Resource=configmaps: ; watch apps/v1, + Resource=configmaps: .' + reason: Failed + status: "False" + type: RBACPermissionsGranted \ No newline at end of file diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/single/chainsaw-test.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/single/chainsaw-test.yaml index ebd0a8aae1..49c80e9767 100755 --- a/test/conformance/chainsaw/validating-policies/webhook-configuration/single/chainsaw-test.yaml +++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/single/chainsaw-test.yaml @@ -9,6 +9,8 @@ spec: try: - create: file: policy.yaml + - assert: + file: policy-assert.yaml - name: check webhooks try: - assert: diff --git a/test/conformance/chainsaw/validating-policies/webhook-configuration/single/policy-assert.yaml b/test/conformance/chainsaw/validating-policies/webhook-configuration/single/policy-assert.yaml new file mode 100644 index 0000000000..badd15fd5f --- /dev/null +++ b/test/conformance/chainsaw/validating-policies/webhook-configuration/single/policy-assert.yaml @@ -0,0 +1,17 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-deployment-labels +status: + conditionStatus: + conditions: + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + message: "" + ready: true \ No newline at end of file