mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
fix: handle upgrade for generateExisting policies (#6655)
* add generateExistingOnPolicyUpdate as a potiner Signed-off-by: ShutingZhao <shuting@nirmata.com> * deny policy with generateExistingOnPolicyUpdate specified Signed-off-by: ShutingZhao <shuting@nirmata.com> * convert existing flag Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
36964a3d95
commit
cb6fd07899
9 changed files with 279 additions and 191 deletions
|
@ -101,6 +101,10 @@ type Spec struct {
|
|||
// +optional
|
||||
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
|
||||
|
||||
// Deprecated, use generateExisting instead
|
||||
// +optional
|
||||
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
|
||||
|
||||
// GenerateExisting controls whether to trigger generate rule in existing resources
|
||||
// If is set to "true" generate rule will be triggered and applied to existing matched resources.
|
||||
// Defaults to "false" if not specified.
|
||||
|
@ -214,6 +218,9 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
|||
|
||||
// IsGenerateExisting return GenerateExisting set value
|
||||
func (s *Spec) IsGenerateExisting() bool {
|
||||
if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate {
|
||||
return true
|
||||
}
|
||||
return s.GenerateExisting
|
||||
}
|
||||
|
||||
|
@ -264,8 +271,18 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
|
|||
return errs
|
||||
}
|
||||
|
||||
func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
|
||||
if s.GenerateExistingOnPolicyUpdate != nil {
|
||||
errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "deprecated field, define generateExisting instead"))
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
|
||||
if err := s.ValidateDeprecatedFields(path); err != nil {
|
||||
errs = append(errs, err...)
|
||||
}
|
||||
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
|
||||
if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
|
||||
errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))
|
||||
|
|
|
@ -1220,6 +1220,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
|
|||
*out = new(int32)
|
||||
**out = **in
|
||||
}
|
||||
if in.GenerateExistingOnPolicyUpdate != nil {
|
||||
in, out := &in.GenerateExistingOnPolicyUpdate, &out.GenerateExistingOnPolicyUpdate
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.
|
||||
|
|
|
@ -63,6 +63,10 @@ type Spec struct {
|
|||
// +optional
|
||||
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
|
||||
|
||||
// Deprecated, use generateExisting instead
|
||||
// +optional
|
||||
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
|
||||
|
||||
// GenerateExisting controls whether to trigger generate rule in existing resources
|
||||
// If is set to "true" generate rule will be triggered and applied to existing matched resources.
|
||||
// Defaults to "false" if not specified.
|
||||
|
@ -176,6 +180,9 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
|||
|
||||
// IsGenerateExisting return GenerateExisting set value
|
||||
func (s *Spec) IsGenerateExisting() bool {
|
||||
if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate {
|
||||
return true
|
||||
}
|
||||
return s.GenerateExisting
|
||||
}
|
||||
|
||||
|
@ -217,8 +224,18 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, clusterResources
|
|||
return errs
|
||||
}
|
||||
|
||||
func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
|
||||
if s.GenerateExistingOnPolicyUpdate != nil {
|
||||
errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "deprecated field, define generateExisting instead"))
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
|
||||
if err := s.ValidateDeprecatedFields(path); err != nil {
|
||||
errs = append(errs, err...)
|
||||
}
|
||||
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, clusterResources)...)
|
||||
if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
|
||||
errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))
|
||||
|
|
|
@ -464,6 +464,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
|
|||
*out = new(int32)
|
||||
**out = **in
|
||||
}
|
||||
if in.GenerateExistingOnPolicyUpdate != nil {
|
||||
in, out := &in.GenerateExistingOnPolicyUpdate, &out.GenerateExistingOnPolicyUpdate
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.
|
||||
|
|
|
@ -3493,6 +3493,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -10203,6 +10206,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -16672,6 +16678,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -23384,6 +23393,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
|
|
@ -107,6 +107,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -6817,6 +6820,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
|
|
@ -108,6 +108,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -6820,6 +6823,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
|
|
@ -23,12 +23,12 @@ apiVersion: v1
|
|||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kyverno-background-controller
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/component: background-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
namespace: kyverno
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
|
@ -45,12 +45,12 @@ apiVersion: v1
|
|||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kyverno-reports-controller
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/component: reports-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
namespace: kyverno
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
|
@ -66,6 +66,7 @@ data:
|
|||
enableDefaultRegistryMutation: "true"
|
||||
defaultRegistry: "docker.io"
|
||||
generateSuccessEvents: "false"
|
||||
excludeBackgroundUsernames: system:serviceaccount:kyverno:kyverno-background-controller
|
||||
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno-admission-controller][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-*]"
|
||||
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
|
||||
---
|
||||
|
@ -107,38 +108,30 @@ spec:
|
|||
scope: Namespaced
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .spec.owner.apiVersion
|
||||
name: ApiVersion
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .spec.owner.kind
|
||||
name: Kind
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .spec.owner.name
|
||||
name: Subject
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .spec.summary.pass
|
||||
name: Pass
|
||||
name: PASS
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.fail
|
||||
name: Fail
|
||||
name: FAIL
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.warn
|
||||
name: Warn
|
||||
name: WARN
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.error
|
||||
name: Error
|
||||
name: ERROR
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.skip
|
||||
name: Skip
|
||||
name: SKIP
|
||||
type: integer
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
|
||||
name: Hash
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
|
||||
name: GVR
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
|
||||
name: REF
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
|
||||
|
@ -1805,38 +1798,30 @@ spec:
|
|||
scope: Cluster
|
||||
versions:
|
||||
- additionalPrinterColumns:
|
||||
- jsonPath: .spec.owner.apiVersion
|
||||
name: ApiVersion
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .spec.owner.kind
|
||||
name: Kind
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .spec.owner.name
|
||||
name: Subject
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: AGE
|
||||
type: date
|
||||
- jsonPath: .spec.summary.pass
|
||||
name: Pass
|
||||
name: PASS
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.fail
|
||||
name: Fail
|
||||
name: FAIL
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.warn
|
||||
name: Warn
|
||||
name: WARN
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.error
|
||||
name: Error
|
||||
name: ERROR
|
||||
type: integer
|
||||
- jsonPath: .spec.summary.skip
|
||||
name: Skip
|
||||
name: SKIP
|
||||
type: integer
|
||||
- jsonPath: .metadata.creationTimestamp
|
||||
name: Age
|
||||
type: date
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
|
||||
name: Hash
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
|
||||
name: GVR
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
|
||||
name: REF
|
||||
priority: 1
|
||||
type: string
|
||||
- jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
|
||||
|
@ -3591,6 +3576,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -10301,6 +10289,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -16770,6 +16761,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -23482,6 +23476,9 @@ spec:
|
|||
be triggered and applied to existing matched resources. Defaults
|
||||
to "false" if not specified.
|
||||
type: boolean
|
||||
generateExistingOnPolicyUpdate:
|
||||
description: Deprecated, use generateExisting instead
|
||||
type: boolean
|
||||
mutateExistingOnPolicyUpdate:
|
||||
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
|
||||
policy is applied on policy events. Default value is "false".
|
||||
|
@ -31481,110 +31478,101 @@ metadata:
|
|||
app.kubernetes.io/version: latest
|
||||
aggregationRule:
|
||||
clusterRoleSelectors:
|
||||
- matchLabels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
- matchLabels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:admission-controller:userinfo
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
rules:
|
||||
- apiGroups:
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- roles
|
||||
- clusterroles
|
||||
- rolebindings
|
||||
- clusterrolebindings
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:admission-controller:policies
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
rules:
|
||||
- apiGroups:
|
||||
- kyverno.io
|
||||
resources:
|
||||
- policies
|
||||
- policies/status
|
||||
- clusterpolicies
|
||||
- clusterpolicies/status
|
||||
- updaterequests
|
||||
- updaterequests/status
|
||||
- admissionreports
|
||||
- clusteradmissionreports
|
||||
- backgroundscanreports
|
||||
- clusterbackgroundscanreports
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- deletecollection
|
||||
- apiGroups:
|
||||
- wgpolicyk8s.io
|
||||
resources:
|
||||
- policyreports
|
||||
- policyreports/status
|
||||
- clusterpolicyreports
|
||||
- clusterpolicyreports/status
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- deletecollection
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:admission-controller:view
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
rules:
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:admission-controller:generate
|
||||
name: kyverno:admission-controller:core
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
rules:
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- mutatingwebhookconfigurations
|
||||
- validatingwebhookconfigurations
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- deletecollection
|
||||
- apiGroups:
|
||||
- rbac.authorization.k8s.io
|
||||
resources:
|
||||
- roles
|
||||
- clusterroles
|
||||
- rolebindings
|
||||
- clusterrolebindings
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
- apiGroups:
|
||||
- kyverno.io
|
||||
resources:
|
||||
- policies
|
||||
- policies/status
|
||||
- clusterpolicies
|
||||
- clusterpolicies/status
|
||||
- updaterequests
|
||||
- updaterequests/status
|
||||
- admissionreports
|
||||
- clusteradmissionreports
|
||||
- backgroundscanreports
|
||||
- clusterbackgroundscanreports
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- deletecollection
|
||||
- apiGroups:
|
||||
- wgpolicyk8s.io
|
||||
resources:
|
||||
- policyreports
|
||||
- policyreports/status
|
||||
- clusterpolicyreports
|
||||
- clusterpolicyreports/status
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- deletecollection
|
||||
- apiGroups:
|
||||
- ''
|
||||
- events.k8s.io
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
- apiGroups:
|
||||
- '*'
|
||||
resources:
|
||||
- '*'
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
- apiGroups:
|
||||
- networking.k8s.io
|
||||
resources:
|
||||
|
@ -31622,52 +31610,6 @@ rules:
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:admission-controller:events
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
- events.k8s.io
|
||||
resources:
|
||||
- events
|
||||
verbs:
|
||||
- create
|
||||
- update
|
||||
- patch
|
||||
- delete
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:admission-controller:webhook
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
rules:
|
||||
- apiGroups:
|
||||
- admissionregistration.k8s.io
|
||||
resources:
|
||||
- mutatingwebhookconfigurations
|
||||
- validatingwebhookconfigurations
|
||||
verbs:
|
||||
- create
|
||||
- delete
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
- update
|
||||
- watch
|
||||
- deletecollection
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno:background-controller
|
||||
labels:
|
||||
|
@ -32138,6 +32080,9 @@ subjects:
|
|||
- kind: ServiceAccount
|
||||
name: kyverno-background-controller
|
||||
namespace: kyverno
|
||||
- kind: ServiceAccount
|
||||
name: kyverno-admission-controller
|
||||
namespace: kyverno
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
|
@ -32545,7 +32490,7 @@ spec:
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: kyverno
|
||||
name: kyverno-admission-controller
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/component: admission-controller
|
||||
|
@ -32617,6 +32562,9 @@ spec:
|
|||
args:
|
||||
- --servicePort=443
|
||||
- --loggingFormat=text
|
||||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
- --metricsPort=8000
|
||||
resources:
|
||||
limits:
|
||||
memory: 384Mi
|
||||
|
@ -32660,7 +32608,7 @@ spec:
|
|||
- name: TUF_ROOT
|
||||
value: /.sigstore
|
||||
- name: KYVERNO_DEPLOYMENT
|
||||
value: kyverno
|
||||
value: kyverno-admission-controller
|
||||
startupProbe:
|
||||
failureThreshold: 20
|
||||
httpGet:
|
||||
|
@ -32709,12 +32657,12 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: kyverno-background-controller
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/component: background-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
namespace: kyverno
|
||||
spec:
|
||||
replicas:
|
||||
strategy:
|
||||
|
@ -32745,7 +32693,7 @@ spec:
|
|||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values:
|
||||
- reports-controller
|
||||
- background-controller
|
||||
topologyKey: kubernetes.io/hostname
|
||||
weight: 1
|
||||
serviceAccountName: kyverno-background-controller
|
||||
|
@ -32914,12 +32862,12 @@ apiVersion: apps/v1
|
|||
kind: Deployment
|
||||
metadata:
|
||||
name: kyverno-reports-controller
|
||||
namespace: kyverno
|
||||
labels:
|
||||
app.kubernetes.io/component: reports-controller
|
||||
app.kubernetes.io/instance: kyverno
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
namespace: kyverno
|
||||
spec:
|
||||
replicas:
|
||||
strategy:
|
||||
|
|
|
@ -238,6 +238,18 @@ Default value is “false”.</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExistingOnPolicyUpdate</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Deprecated, use generateExisting instead</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExisting</code><br/>
|
||||
<em>
|
||||
bool
|
||||
|
@ -464,6 +476,18 @@ Default value is “false”.</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExistingOnPolicyUpdate</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Deprecated, use generateExisting instead</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExisting</code><br/>
|
||||
<em>
|
||||
bool
|
||||
|
@ -3332,6 +3356,18 @@ Default value is “false”.</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExistingOnPolicyUpdate</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Deprecated, use generateExisting instead</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExisting</code><br/>
|
||||
<em>
|
||||
bool
|
||||
|
@ -5638,6 +5674,18 @@ Default value is “false”.</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExistingOnPolicyUpdate</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Deprecated, use generateExisting instead</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExisting</code><br/>
|
||||
<em>
|
||||
bool
|
||||
|
@ -5863,6 +5911,18 @@ Default value is “false”.</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExistingOnPolicyUpdate</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Deprecated, use generateExisting instead</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExisting</code><br/>
|
||||
<em>
|
||||
bool
|
||||
|
@ -6716,6 +6776,18 @@ Default value is “false”.</p>
|
|||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExistingOnPolicyUpdate</code><br/>
|
||||
<em>
|
||||
bool
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Deprecated, use generateExisting instead</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>generateExisting</code><br/>
|
||||
<em>
|
||||
bool
|
||||
|
|
Loading…
Add table
Reference in a new issue