1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

fix: handle upgrade for generateExisting policies (#6655)

* add generateExistingOnPolicyUpdate as a potiner

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* deny policy with generateExistingOnPolicyUpdate specified

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* convert existing flag

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update api docs

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-03-24 00:36:51 +08:00 committed by GitHub
parent 36964a3d95
commit cb6fd07899
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 279 additions and 191 deletions

View file

@ -101,6 +101,10 @@ type Spec struct {
// +optional
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
// Deprecated, use generateExisting instead
// +optional
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
// GenerateExisting controls whether to trigger generate rule in existing resources
// If is set to "true" generate rule will be triggered and applied to existing matched resources.
// Defaults to "false" if not specified.
@ -214,6 +218,9 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
// IsGenerateExisting return GenerateExisting set value
func (s *Spec) IsGenerateExisting() bool {
if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate {
return true
}
return s.GenerateExisting
}
@ -264,8 +271,18 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
return errs
}
func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
if s.GenerateExistingOnPolicyUpdate != nil {
errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "deprecated field, define generateExisting instead"))
}
return errs
}
// Validate implements programmatic validation
func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
if err := s.ValidateDeprecatedFields(path); err != nil {
errs = append(errs, err...)
}
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))

View file

@ -1220,6 +1220,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
*out = new(int32)
**out = **in
}
if in.GenerateExistingOnPolicyUpdate != nil {
in, out := &in.GenerateExistingOnPolicyUpdate, &out.GenerateExistingOnPolicyUpdate
*out = new(bool)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.

View file

@ -63,6 +63,10 @@ type Spec struct {
// +optional
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
// Deprecated, use generateExisting instead
// +optional
GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
// GenerateExisting controls whether to trigger generate rule in existing resources
// If is set to "true" generate rule will be triggered and applied to existing matched resources.
// Defaults to "false" if not specified.
@ -176,6 +180,9 @@ func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
// IsGenerateExisting return GenerateExisting set value
func (s *Spec) IsGenerateExisting() bool {
if s.GenerateExistingOnPolicyUpdate != nil && *s.GenerateExistingOnPolicyUpdate {
return true
}
return s.GenerateExisting
}
@ -217,8 +224,18 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, clusterResources
return errs
}
func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
if s.GenerateExistingOnPolicyUpdate != nil {
errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "deprecated field, define generateExisting instead"))
}
return errs
}
// Validate implements programmatic validation
func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
if err := s.ValidateDeprecatedFields(path); err != nil {
errs = append(errs, err...)
}
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, clusterResources)...)
if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))

View file

@ -464,6 +464,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
*out = new(int32)
**out = **in
}
if in.GenerateExistingOnPolicyUpdate != nil {
in, out := &in.GenerateExistingOnPolicyUpdate, &out.GenerateExistingOnPolicyUpdate
*out = new(bool)
**out = **in
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.

View file

@ -3493,6 +3493,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -10203,6 +10206,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -16672,6 +16678,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -23384,6 +23393,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".

View file

@ -107,6 +107,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -6817,6 +6820,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".

View file

@ -108,6 +108,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -6820,6 +6823,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".

View file

@ -23,12 +23,12 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-background-controller
namespace: kyverno
labels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
---
apiVersion: v1
kind: ServiceAccount
@ -45,12 +45,12 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-reports-controller
namespace: kyverno
labels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
---
apiVersion: v1
kind: ConfigMap
@ -66,6 +66,7 @@ data:
enableDefaultRegistryMutation: "true"
defaultRegistry: "docker.io"
generateSuccessEvents: "false"
excludeBackgroundUsernames: system:serviceaccount:kyverno:kyverno-background-controller
resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno-admission-controller][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-*]"
webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]'
---
@ -107,38 +108,30 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.owner.apiVersion
name: ApiVersion
priority: 1
type: string
- jsonPath: .spec.owner.kind
name: Kind
priority: 1
type: string
- jsonPath: .spec.owner.name
name: Subject
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .spec.summary.pass
name: Pass
name: PASS
type: integer
- jsonPath: .spec.summary.fail
name: Fail
name: FAIL
type: integer
- jsonPath: .spec.summary.warn
name: Warn
name: WARN
type: integer
- jsonPath: .spec.summary.error
name: Error
name: ERROR
type: integer
- jsonPath: .spec.summary.skip
name: Skip
name: SKIP
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
name: Hash
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
name: GVR
priority: 1
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
name: REF
priority: 1
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
@ -1805,38 +1798,30 @@ spec:
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.owner.apiVersion
name: ApiVersion
priority: 1
type: string
- jsonPath: .spec.owner.kind
name: Kind
priority: 1
type: string
- jsonPath: .spec.owner.name
name: Subject
priority: 1
type: string
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .spec.summary.pass
name: Pass
name: PASS
type: integer
- jsonPath: .spec.summary.fail
name: Fail
name: FAIL
type: integer
- jsonPath: .spec.summary.warn
name: Warn
name: WARN
type: integer
- jsonPath: .spec.summary.error
name: Error
name: ERROR
type: integer
- jsonPath: .spec.summary.skip
name: Skip
name: SKIP
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
name: Hash
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr']
name: GVR
priority: 1
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name']
name: REF
priority: 1
type: string
- jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
@ -3591,6 +3576,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -10301,6 +10289,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -16770,6 +16761,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -23482,6 +23476,9 @@ spec:
be triggered and applied to existing matched resources. Defaults
to "false" if not specified.
type: boolean
generateExistingOnPolicyUpdate:
description: Deprecated, use generateExisting instead
type: boolean
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
@ -31481,110 +31478,101 @@ metadata:
app.kubernetes.io/version: latest
aggregationRule:
clusterRoleSelectors:
- matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
- matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:userinfo
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:policies
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:view
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:generate
name: kyverno:admission-controller:core
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- clusterroles
- rolebindings
- clusterrolebindings
verbs:
- watch
- list
- apiGroups:
- kyverno.io
resources:
- policies
- policies/status
- clusterpolicies
- clusterpolicies/status
- updaterequests
- updaterequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
@ -31622,52 +31610,6 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:events
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- ''
- events.k8s.io
resources:
- events
verbs:
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:admission-controller:webhook
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:background-controller
labels:
@ -32138,6 +32080,9 @@ subjects:
- kind: ServiceAccount
name: kyverno-background-controller
namespace: kyverno
- kind: ServiceAccount
name: kyverno-admission-controller
namespace: kyverno
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -32545,7 +32490,7 @@ spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno
name: kyverno-admission-controller
namespace: kyverno
labels:
app.kubernetes.io/component: admission-controller
@ -32617,6 +32562,9 @@ spec:
args:
- --servicePort=443
- --loggingFormat=text
- --disableMetrics=false
- --otelConfig=prometheus
- --metricsPort=8000
resources:
limits:
memory: 384Mi
@ -32660,7 +32608,7 @@ spec:
- name: TUF_ROOT
value: /.sigstore
- name: KYVERNO_DEPLOYMENT
value: kyverno
value: kyverno-admission-controller
startupProbe:
failureThreshold: 20
httpGet:
@ -32709,12 +32657,12 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-background-controller
namespace: kyverno
labels:
app.kubernetes.io/component: background-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
replicas:
strategy:
@ -32745,7 +32693,7 @@ spec:
- key: app.kubernetes.io/component
operator: In
values:
- reports-controller
- background-controller
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: kyverno-background-controller
@ -32914,12 +32862,12 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: kyverno-reports-controller
namespace: kyverno
labels:
app.kubernetes.io/component: reports-controller
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
namespace: kyverno
spec:
replicas:
strategy:

View file

@ -238,6 +238,18 @@ Default value is &ldquo;false&rdquo;.</p>
</tr>
<tr>
<td>
<code>generateExistingOnPolicyUpdate</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Deprecated, use generateExisting instead</p>
</td>
</tr>
<tr>
<td>
<code>generateExisting</code><br/>
<em>
bool
@ -464,6 +476,18 @@ Default value is &ldquo;false&rdquo;.</p>
</tr>
<tr>
<td>
<code>generateExistingOnPolicyUpdate</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Deprecated, use generateExisting instead</p>
</td>
</tr>
<tr>
<td>
<code>generateExisting</code><br/>
<em>
bool
@ -3332,6 +3356,18 @@ Default value is &ldquo;false&rdquo;.</p>
</tr>
<tr>
<td>
<code>generateExistingOnPolicyUpdate</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Deprecated, use generateExisting instead</p>
</td>
</tr>
<tr>
<td>
<code>generateExisting</code><br/>
<em>
bool
@ -5638,6 +5674,18 @@ Default value is &ldquo;false&rdquo;.</p>
</tr>
<tr>
<td>
<code>generateExistingOnPolicyUpdate</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Deprecated, use generateExisting instead</p>
</td>
</tr>
<tr>
<td>
<code>generateExisting</code><br/>
<em>
bool
@ -5863,6 +5911,18 @@ Default value is &ldquo;false&rdquo;.</p>
</tr>
<tr>
<td>
<code>generateExistingOnPolicyUpdate</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Deprecated, use generateExisting instead</p>
</td>
</tr>
<tr>
<td>
<code>generateExisting</code><br/>
<em>
bool
@ -6716,6 +6776,18 @@ Default value is &ldquo;false&rdquo;.</p>
</tr>
<tr>
<td>
<code>generateExistingOnPolicyUpdate</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Deprecated, use generateExisting instead</p>
</td>
</tr>
<tr>
<td>
<code>generateExisting</code><br/>
<em>
bool