mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 10:28:36 +00:00
fix: autogen status for ivpol (#12431)
* feat: enable mutating webhook for ivpol Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add objects to payload Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add chainsaw test Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: propagate policy response to admission reponse Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update chainsaw tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: ivpol autogen meta Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
c0d7332d14
commit
c0ab93b95b
69 changed files with 1106 additions and 622 deletions
api/policies.kyverno.io/v1alpha1
charts/kyverno/charts/crds/templates/policies.kyverno.io
cmd/cli/kubectl-kyverno/data/crds
config
crds/policies.kyverno.io
install-latest-testing.yamldocs/user/crd
pkg
test/conformance/chainsaw
imageverificationpolicies/match-conditions
validating-policies
autogen
autogen-deployments-cronjobs
autogen-deployments-statefulsets
none
should-autogen
should-not-autogen
context
configmap
globalreference
image-data
imagereference
resource
match-conditions/failure-policy
default
fail
ignore
report-message-exp
report
validation-actions
audit
deny
none
warn
validation-rules
accept
reject
with-match-conditions
webhook-configuration
match-conditions
multiple
single
|
|
@ -16,7 +16,7 @@ import (
|
|||
// +kubebuilder:subresource:status
|
||||
// +kubebuilder:resource:path=imageverificationpolicies,scope="Cluster",shortName=ivpol,categories=kyverno
|
||||
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
|
||||
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.ready`
|
||||
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditionStatus.ready`
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
type ImageVerificationPolicy struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
|
|
@ -28,7 +28,8 @@ type ImageVerificationPolicy struct {
|
|||
}
|
||||
|
||||
type IvpolStatus struct {
|
||||
ConditionStatus `json:"conditionStatus,inline"`
|
||||
// +optional
|
||||
ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"`
|
||||
|
||||
// +optional
|
||||
Autogen IvpolAutogenStatus `json:"autogen,omitempty"`
|
||||
|
|
@ -40,7 +41,7 @@ type IvpolAutogenStatus struct {
|
|||
}
|
||||
|
||||
type IvpolAutogen struct {
|
||||
metav1.ObjectMeta `json:"metadata,omitempty"`
|
||||
Name string `json:"name,omitempty"`
|
||||
Spec ImageVerificationPolicySpec `json:"spec"`
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ import (
|
|||
// +kubebuilder:subresource:status
|
||||
// +kubebuilder:resource:path=validatingpolicies,scope="Cluster",shortName=vpol,categories=kyverno
|
||||
// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
|
||||
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.ready`
|
||||
// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditionStatus.ready`
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
type ValidatingPolicy struct {
|
||||
|
|
@ -24,7 +24,8 @@ type ValidatingPolicy struct {
|
|||
}
|
||||
|
||||
type VpolStatus struct {
|
||||
ConditionStatus `json:"conditionStatus,inline"`
|
||||
// +optional
|
||||
ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"`
|
||||
|
||||
// +optional
|
||||
Autogen AutogenStatus `json:"autogen"`
|
||||
|
|
|
|||
|
|
@ -669,7 +669,6 @@ func (in *InToto) DeepCopy() *InToto {
|
|||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *IvpolAutogen) DeepCopyInto(out *IvpolAutogen) {
|
||||
*out = *in
|
||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||
in.Spec.DeepCopyInto(&out.Spec)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -961,8 +961,8 @@ spec:
|
|||
rules:
|
||||
items:
|
||||
properties:
|
||||
metadata:
|
||||
type: object
|
||||
name:
|
||||
type: string
|
||||
spec:
|
||||
description: ImageVerificationPolicySpec is the specification
|
||||
of the desired behavior of the ImageVerificationPolicy.
|
||||
|
|
@ -1907,10 +1907,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -1944,7 +1948,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -1974,6 +1979,7 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -1264,10 +1264,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -1301,7 +1305,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -1320,10 +1325,6 @@ spec:
|
|||
- type
|
||||
type: object
|
||||
type: array
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
message:
|
||||
description: |-
|
||||
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
|
|
@ -1335,6 +1336,11 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -955,8 +955,8 @@ spec:
|
|||
rules:
|
||||
items:
|
||||
properties:
|
||||
metadata:
|
||||
type: object
|
||||
name:
|
||||
type: string
|
||||
spec:
|
||||
description: ImageVerificationPolicySpec is the specification
|
||||
of the desired behavior of the ImageVerificationPolicy.
|
||||
|
|
@ -1901,10 +1901,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -1938,7 +1942,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -1968,6 +1973,7 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -1258,10 +1258,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -1295,7 +1299,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -1314,10 +1319,6 @@ spec:
|
|||
- type
|
||||
type: object
|
||||
type: array
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
message:
|
||||
description: |-
|
||||
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
|
|
@ -1329,6 +1330,11 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -955,8 +955,8 @@ spec:
|
|||
rules:
|
||||
items:
|
||||
properties:
|
||||
metadata:
|
||||
type: object
|
||||
name:
|
||||
type: string
|
||||
spec:
|
||||
description: ImageVerificationPolicySpec is the specification
|
||||
of the desired behavior of the ImageVerificationPolicy.
|
||||
|
|
@ -1901,10 +1901,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -1938,7 +1942,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -1968,6 +1973,7 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -1258,10 +1258,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -1295,7 +1299,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -1314,10 +1319,6 @@ spec:
|
|||
- type
|
||||
type: object
|
||||
type: array
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
message:
|
||||
description: |-
|
||||
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
|
|
@ -1329,6 +1330,11 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -48623,7 +48623,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -49556,8 +49556,8 @@ spec:
|
|||
rules:
|
||||
items:
|
||||
properties:
|
||||
metadata:
|
||||
type: object
|
||||
name:
|
||||
type: string
|
||||
spec:
|
||||
description: ImageVerificationPolicySpec is the specification
|
||||
of the desired behavior of the ImageVerificationPolicy.
|
||||
|
|
@ -50502,10 +50502,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -50539,7 +50543,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -50569,6 +50574,7 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
@ -50607,7 +50613,7 @@ spec:
|
|||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .status.ready
|
||||
- jsonPath: .status.conditionStatus.ready
|
||||
name: READY
|
||||
type: string
|
||||
name: v1alpha1
|
||||
|
|
@ -51843,10 +51849,14 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
type: object
|
||||
conditionStatus:
|
||||
description: ConditionStatus is the shared status across all policy
|
||||
types
|
||||
properties:
|
||||
conditions:
|
||||
items:
|
||||
description: Condition contains details for one aspect of the current
|
||||
state of this API Resource.
|
||||
description: Condition contains details for one aspect of the
|
||||
current state of this API Resource.
|
||||
properties:
|
||||
lastTransitionTime:
|
||||
description: |-
|
||||
|
|
@ -51880,7 +51890,8 @@ spec:
|
|||
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
||||
type: string
|
||||
status:
|
||||
description: status of the condition, one of True, False, Unknown.
|
||||
description: status of the condition, one of True, False,
|
||||
Unknown.
|
||||
enum:
|
||||
- "True"
|
||||
- "False"
|
||||
|
|
@ -51899,10 +51910,6 @@ spec:
|
|||
- type
|
||||
type: object
|
||||
type: array
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
message:
|
||||
description: |-
|
||||
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
|
|
@ -51914,6 +51921,11 @@ spec:
|
|||
The conditions array, the reason and message fields contain more detail about the policy's status.
|
||||
type: boolean
|
||||
type: object
|
||||
generated:
|
||||
description: Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy
|
||||
is generated from the policy or not
|
||||
type: boolean
|
||||
type: object
|
||||
required:
|
||||
- spec
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -12053,16 +12053,12 @@ string
|
|||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>metadata</code><br/>
|
||||
<code>name</code><br/>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#objectmeta-v1-meta">
|
||||
Kubernetes meta/v1.ObjectMeta
|
||||
</a>
|
||||
string
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
Refer to the Kubernetes API documentation for the fields of the
|
||||
<code>metadata</code> field.
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -12367,9 +12363,7 @@ ConditionStatus
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>
|
||||
(Members of <code>conditionStatus</code> are embedded into this type.)
|
||||
</p>
|
||||
<em>(Optional)</em>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -12995,9 +12989,7 @@ ConditionStatus
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>
|
||||
(Members of <code>conditionStatus</code> are embedded into this type.)
|
||||
</p>
|
||||
<em>(Optional)</em>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
|
|||
|
|
@ -47,12 +47,11 @@ func autogenIvPols(ivpol *policiesv1alpha1.ImageVerificationPolicy, controllerSe
|
|||
|
||||
policy = &policiesv1alpha1.IvpolAutogen{}
|
||||
copied := ivpol.DeepCopy()
|
||||
policy.ObjectMeta = copied.ObjectMeta
|
||||
policy.Spec = copied.Spec
|
||||
if controllers == "cronjobs" {
|
||||
policy.Name = "autogen-cronjobs-" + policy.Name
|
||||
policy.Name = "autogen-cronjobs-" + ivpol.GetName()
|
||||
} else {
|
||||
policy.Name = "autogen-" + policy.Name
|
||||
policy.Name = "autogen-" + ivpol.GetName()
|
||||
}
|
||||
operations := ivpol.Spec.MatchConstraints.ResourceRules[0].Operations
|
||||
// create a resource rule for pod controllers
|
||||
|
|
|
|||
|
|
@ -300,12 +300,10 @@ func (r *ivpolpolicyReconciler) Reconcile(ctx context.Context, req ctrl.Request)
|
|||
}
|
||||
for _, p := range autogeneratedIvPols {
|
||||
namespacedName := types.NamespacedName{
|
||||
Namespace: p.Namespace,
|
||||
Name: p.Name,
|
||||
}
|
||||
r.policies[namespacedName.String()] = CompiledImageVerificationPolicy{
|
||||
Policy: &policiesv1alpha1.ImageVerificationPolicy{
|
||||
ObjectMeta: p.ObjectMeta,
|
||||
Spec: p.Spec,
|
||||
},
|
||||
Actions: actions,
|
||||
|
|
|
|||
|
|
@ -103,7 +103,7 @@ func (c controller) reconcile(ctx context.Context, logger logr.Logger, key strin
|
|||
return nil
|
||||
}
|
||||
|
||||
func (c controller) reconcileConditions(ctx context.Context, policy engineapi.GenericPolicy) {
|
||||
func (c controller) reconcileConditions(ctx context.Context, policy engineapi.GenericPolicy) *policiesv1alpha1.ConditionStatus {
|
||||
var key string
|
||||
var matchConstraints admissionregistrationv1.MatchResources
|
||||
status := &policiesv1alpha1.ConditionStatus{}
|
||||
|
|
@ -154,4 +154,5 @@ func (c controller) reconcileConditions(ctx context.Context, policy engineapi.Ge
|
|||
} else {
|
||||
status.SetReadyByCondition(policiesv1alpha1.PolicyConditionTypeRBACPermissionsGranted, metav1.ConditionTrue, "Policy is ready for reporting.")
|
||||
}
|
||||
return status
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import (
|
|||
func (c controller) updateIvpolStatus(ctx context.Context, ivpol *policiesv1alpha1.ImageVerificationPolicy) error {
|
||||
updateFunc := func(ivpol *policiesv1alpha1.ImageVerificationPolicy) error {
|
||||
p := engineapi.NewImageVerificationPolicy(ivpol)
|
||||
c.reconcileConditions(ctx, p)
|
||||
conditionStatus := c.reconcileConditions(ctx, p)
|
||||
|
||||
status := ivpol.GetStatus()
|
||||
status.Autogen.Rules = nil
|
||||
|
|
@ -27,7 +27,6 @@ func (c controller) updateIvpolStatus(ctx context.Context, ivpol *policiesv1alph
|
|||
status.Autogen.Rules = append(status.Autogen.Rules, autogeneratedIvPols...)
|
||||
|
||||
ready := true
|
||||
conditionStatus := status.GetConditionStatus()
|
||||
for _, condition := range conditionStatus.Conditions {
|
||||
if condition.Status != metav1.ConditionTrue {
|
||||
ready = false
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import (
|
|||
func (c controller) updateVpolStatus(ctx context.Context, vpol *policiesv1alpha1.ValidatingPolicy) error {
|
||||
updateFunc := func(vpol *policiesv1alpha1.ValidatingPolicy) error {
|
||||
p := engineapi.NewValidatingPolicy(vpol)
|
||||
c.reconcileConditions(ctx, p)
|
||||
conditionStatus := c.reconcileConditions(ctx, p)
|
||||
|
||||
status := vpol.GetStatus()
|
||||
status.Autogen.Rules = nil
|
||||
|
|
@ -22,7 +22,6 @@ func (c controller) updateVpolStatus(ctx context.Context, vpol *policiesv1alpha1
|
|||
status.Autogen.Rules = append(status.Autogen.Rules, rules...)
|
||||
|
||||
ready := true
|
||||
conditionStatus := status.GetConditionStatus()
|
||||
for _, condition := range conditionStatus.Conditions {
|
||||
if condition.Status != metav1.ConditionTrue {
|
||||
ready = false
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create bad pod
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ImageVerificationPolicy
|
||||
metadata:
|
||||
name: ivpol-sample
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check autogen policy
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check autogen policy
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 2s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check autogen policy
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 2s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check autogen policy
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 2s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check autogen policy
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: 'Policy is not ready for reporting, missing permissions: get /v1,
|
||||
Resource=deployments: ; list /v1, Resource=deployments: ; watch /v1, Resource=deployments: .'
|
||||
reason: Failed
|
||||
status: "False"
|
||||
type: RBACPermissionsGranted
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create configmap
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -17,8 +17,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 3s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- try:
|
||||
- apply:
|
||||
file: new-deployment.yaml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: cpol-apicall-correct
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: deployment
|
||||
name: deployment-image-data
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-images
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create pod
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -10,8 +10,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create deployment
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,8 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- sleep:
|
||||
duration: 10s
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: create good pod
|
||||
try:
|
||||
- create:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,6 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check webhooks
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: disallow-privilege-escalation
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
|
|
@ -9,6 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check webhooks
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: 'Policy is not ready for reporting, missing permissions: get apps/v1,
|
||||
Resource=configmaps: ; list apps/v1, Resource=configmaps: ; watch apps/v1,
|
||||
Resource=configmaps: .'
|
||||
reason: Failed
|
||||
status: "False"
|
||||
type: RBACPermissionsGranted
|
||||
|
|
@ -9,6 +9,8 @@ spec:
|
|||
try:
|
||||
- create:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: check webhooks
|
||||
try:
|
||||
- assert:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: policies.kyverno.io/v1alpha1
|
||||
kind: ValidatingPolicy
|
||||
metadata:
|
||||
name: check-deployment-labels
|
||||
status:
|
||||
conditionStatus:
|
||||
conditions:
|
||||
- message: Webhook configured.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: WebhookConfigured
|
||||
- message: Policy is ready for reporting.
|
||||
reason: Succeeded
|
||||
status: "True"
|
||||
type: RBACPermissionsGranted
|
||||
message: ""
|
||||
ready: true
|
||||
Loading…
Add table
Reference in a new issue