diff --git a/Makefile b/Makefile
index 45d49f0c82..6e81ea9d08 100644
--- a/Makefile
+++ b/Makefile
@@ -376,7 +376,8 @@ install-controller-gen: ## Install controller-gen
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
- go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
+ go mod edit -replace=sigs.k8s.io/controller-tools@$(CONTROLLER_GEN_REQ_VERSION)=github.com/eddycharly/controller-tools@704af868d45a3a78448b9a6a2279c12ea96a621e ;\
+ go get sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_REQ_VERSION) ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOPATH)/bin/controller-gen
diff --git a/api/kyverno/v1beta1/updaterequest_types.go b/api/kyverno/v1beta1/updaterequest_types.go
index 0252cae11b..829667b4bd 100644
--- a/api/kyverno/v1beta1/updaterequest_types.go
+++ b/api/kyverno/v1beta1/updaterequest_types.go
@@ -117,7 +117,7 @@ type RequestInfo struct {
// AdmissionRequestInfoObject stores the admission request and operation details
type AdmissionRequestInfoObject struct {
// +optional
- AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
+ AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
// +optional
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
}
diff --git a/api/kyverno/v1beta1/zz_generated.deepcopy.go b/api/kyverno/v1beta1/zz_generated.deepcopy.go
index 834327a267..b388639dd6 100644
--- a/api/kyverno/v1beta1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1beta1/zz_generated.deepcopy.go
@@ -21,12 +21,18 @@ package v1beta1
import (
"github.com/kyverno/kyverno/api/kyverno/v1"
+ admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObject) {
*out = *in
+ if in.AdmissionRequest != nil {
+ in, out := &in.AdmissionRequest, &out.AdmissionRequest
+ *out = new(admissionv1.AdmissionRequest)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.
@@ -145,7 +151,7 @@ func (in *UpdateRequestSpec) DeepCopy() *UpdateRequestSpec {
func (in *UpdateRequestSpecContext) DeepCopyInto(out *UpdateRequestSpecContext) {
*out = *in
in.UserRequestInfo.DeepCopyInto(&out.UserRequestInfo)
- out.AdmissionRequestInfo = in.AdmissionRequestInfo
+ in.AdmissionRequestInfo.DeepCopyInto(&out.AdmissionRequestInfo)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpecContext.
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
index 1b0f5e1794..bf1283b43b 100644
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@@ -1611,12 +1611,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -1883,12 +1877,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -2155,12 +2143,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -2336,12 +2318,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -3955,12 +3931,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -4227,12 +4197,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -4499,12 +4463,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -4577,7 +4535,127 @@ spec:
description: AdmissionRequestInfoObject stores the admission request and operation details
properties:
admissionRequest:
- type: string
+ description: AdmissionRequest describes the admission.Attributes for the admission request.
+ properties:
+ dryRun:
+ description: DryRun indicates that modifications will definitely not be persisted for this request. Defaults to false.
+ type: boolean
+ kind:
+ description: Kind is the fully-qualified type of object being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ name:
+ description: Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and rely on the server to generate the name. If that is the case, this field will contain an empty string.
+ type: string
+ namespace:
+ description: Namespace is the namespace associated with the request (if any).
+ type: string
+ object:
+ description: Object is the object from the incoming request.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ oldObject:
+ description: OldObject is the existing object. Only populated for DELETE and UPDATE requests.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ operation:
+ description: Operation is the operation being performed. This may be different than the operation requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+ type: string
+ options:
+ description: Options is the operation option structure of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be different than the options the caller provided. e.g. for a patch request the performed Operation might be a CREATE, in which case the Options will a `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ requestKind:
+ description: "RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in \"kind\", an equivalent match and conversion was performed. \n For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` (matching the rule the webhook registered for), and `requestKind: {group:\"apps\", version:\"v1beta1\", kind:\"Deployment\"}` (indicating the kind of the original API request). \n See documentation for the \"matchPolicy\" field in the webhook configuration type for more details."
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ requestResource:
+ description: "RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in \"resource\", an equivalent match and conversion was performed. \n For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:\"apps\", version:\"v1\", resource:\"deployments\"}` (matching the resource the webhook registered for), and `requestResource: {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` (indicating the resource of the original API request). \n See documentation for the \"matchPolicy\" field in the webhook configuration type."
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ requestSubResource:
+ description: RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. See documentation for the "matchPolicy" field in the webhook configuration type.
+ type: string
+ resource:
+ description: Resource is the fully-qualified resource being requested (for example, v1.pods)
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ subResource:
+ description: SubResource is the subresource being requested, if any (for example, "status" or "scale")
+ type: string
+ uid:
+ description: UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are otherwise identical (parallel requests, requests when earlier requests did not modify etc) The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+ type: string
+ userInfo:
+ description: UserInfo is information about the requesting user
+ properties:
+ extra:
+ additionalProperties:
+ description: ExtraValue masks the value so protobuf can generate
+ items:
+ type: string
+ type: array
+ description: Any additional information provided by the authenticator.
+ type: object
+ groups:
+ description: The names of groups this user is a part of.
+ items:
+ type: string
+ type: array
+ uid:
+ description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
+ type: string
+ username:
+ description: The name that uniquely identifies this user among all active users.
+ type: string
+ type: object
+ required:
+ - kind
+ - operation
+ - resource
+ - uid
+ - userInfo
+ type: object
operation:
description: Operation is the type of resource operation being checked for admission control
type: string
@@ -4690,10 +4768,4 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
{{- end }}
diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 6a1c847cad..ecb1ec5060 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -5,6 +5,7 @@ package main
import (
"context"
+ "encoding/json"
"flag"
"os"
"sync"
@@ -20,6 +21,7 @@ import (
"github.com/kyverno/kyverno/pkg/signal"
"github.com/kyverno/kyverno/pkg/tls"
"github.com/kyverno/kyverno/pkg/utils"
+ admissionv1 "k8s.io/api/admission/v1"
coordinationv1 "k8s.io/api/coordination/v1"
"k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -445,6 +447,16 @@ func convertGR(pclient kyvernoclient.Interface) error {
}
for _, gr := range grs.Items {
cp := gr.DeepCopy()
+ var request *admissionv1.AdmissionRequest
+ if cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest != "" {
+ var r admissionv1.AdmissionRequest
+ err := json.Unmarshal([]byte(cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest), &r)
+ if err != nil {
+ logger.Error(err, "failed to unmarshal admission request")
+ errors = append(errors, err)
+ continue
+ }
+ }
ur := &kyvernov1beta1.UpdateRequest{
ObjectMeta: metav1.ObjectMeta{
GenerateName: "ur-",
@@ -462,7 +474,7 @@ func convertGR(pclient kyvernoclient.Interface) error {
AdmissionUserInfo: cp.Spec.Context.UserRequestInfo.AdmissionUserInfo,
},
AdmissionRequestInfo: kyvernov1beta1.AdmissionRequestInfoObject{
- AdmissionRequest: cp.Spec.Context.AdmissionRequestInfo.AdmissionRequest,
+ AdmissionRequest: request,
Operation: cp.Spec.Context.AdmissionRequestInfo.Operation,
},
},
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index 55f6537548..7e0ff540ea 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -2561,9 +2561,3 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/kyverno.io_clusterreportchangerequests.yaml b/config/crds/kyverno.io_clusterreportchangerequests.yaml
index 0cd5fd4294..f04db480d0 100644
--- a/config/crds/kyverno.io_clusterreportchangerequests.yaml
+++ b/config/crds/kyverno.io_clusterreportchangerequests.yaml
@@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/kyverno.io_generaterequests.yaml b/config/crds/kyverno.io_generaterequests.yaml
index c09eb7ae6d..b8ce629f2b 100644
--- a/config/crds/kyverno.io_generaterequests.yaml
+++ b/config/crds/kyverno.io_generaterequests.yaml
@@ -182,9 +182,3 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index e667f837fb..617aa19a1d 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -2563,9 +2563,3 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/kyverno.io_reportchangerequests.yaml b/config/crds/kyverno.io_reportchangerequests.yaml
index 5777287df0..5d4b014271 100644
--- a/config/crds/kyverno.io_reportchangerequests.yaml
+++ b/config/crds/kyverno.io_reportchangerequests.yaml
@@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/kyverno.io_updaterequests.yaml b/config/crds/kyverno.io_updaterequests.yaml
index cdb6156f84..212154e3b6 100644
--- a/config/crds/kyverno.io_updaterequests.yaml
+++ b/config/crds/kyverno.io_updaterequests.yaml
@@ -68,7 +68,197 @@ spec:
and operation details
properties:
admissionRequest:
- type: string
+ description: AdmissionRequest describes the admission.Attributes
+ for the admission request.
+ properties:
+ dryRun:
+ description: DryRun indicates that modifications will
+ definitely not be persisted for this request. Defaults
+ to false.
+ type: boolean
+ kind:
+ description: Kind is the fully-qualified type of object
+ being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ name:
+ description: Name is the name of the object as presented
+ in the request. On a CREATE operation, the client may
+ omit name and rely on the server to generate the name. If
+ that is the case, this field will contain an empty string.
+ type: string
+ namespace:
+ description: Namespace is the namespace associated with
+ the request (if any).
+ type: string
+ object:
+ description: Object is the object from the incoming request.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ oldObject:
+ description: OldObject is the existing object. Only populated
+ for DELETE and UPDATE requests.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ operation:
+ description: Operation is the operation being performed.
+ This may be different than the operation requested.
+ e.g. a patch can result in either a CREATE or UPDATE
+ Operation.
+ type: string
+ options:
+ description: Options is the operation option structure
+ of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
+ or `meta.k8s.io/v1.CreateOptions`. This may be different
+ than the options the caller provided. e.g. for a patch
+ request the performed Operation might be a CREATE, in
+ which case the Options will a `meta.k8s.io/v1.CreateOptions`
+ even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ requestKind:
+ description: "RequestKind is the fully-qualified type
+ of the original API request (for example, v1.Pod or
+ autoscaling.v1.Scale). If this is specified and differs
+ from the value in \"kind\", an equivalent match and
+ conversion was performed. \n For example, if deployments
+ can be modified via apps/v1 and apps/v1beta1, and a
+ webhook registered a rule of `apiGroups:[\"apps\"],
+ apiVersions:[\"v1\"], resources: [\"deployments\"]`
+ and `matchPolicy: Equivalent`, an API request to apps/v1beta1
+ deployments would be converted and sent to the webhook
+ with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
+ (matching the rule the webhook registered for), and
+ `requestKind: {group:\"apps\", version:\"v1beta1\",
+ kind:\"Deployment\"}` (indicating the kind of the original
+ API request). \n See documentation for the \"matchPolicy\"
+ field in the webhook configuration type for more details."
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ requestResource:
+ description: "RequestResource is the fully-qualified resource
+ of the original API request (for example, v1.pods).
+ If this is specified and differs from the value in \"resource\",
+ an equivalent match and conversion was performed. \n
+ For example, if deployments can be modified via apps/v1
+ and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
+ [\"deployments\"]` and `matchPolicy: Equivalent`, an
+ API request to apps/v1beta1 deployments would be converted
+ and sent to the webhook with `resource: {group:\"apps\",
+ version:\"v1\", resource:\"deployments\"}` (matching
+ the resource the webhook registered for), and `requestResource:
+ {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
+ (indicating the resource of the original API request).
+ \n See documentation for the \"matchPolicy\" field in
+ the webhook configuration type."
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ requestSubResource:
+ description: RequestSubResource is the name of the subresource
+ of the original API request, if any (for example, "status"
+ or "scale") If this is specified and differs from the
+ value in "subResource", an equivalent match and conversion
+ was performed. See documentation for the "matchPolicy"
+ field in the webhook configuration type.
+ type: string
+ resource:
+ description: Resource is the fully-qualified resource
+ being requested (for example, v1.pods)
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ subResource:
+ description: SubResource is the subresource being requested,
+ if any (for example, "status" or "scale")
+ type: string
+ uid:
+ description: UID is an identifier for the individual request/response.
+ It allows us to distinguish instances of requests which
+ are otherwise identical (parallel requests, requests
+ when earlier requests did not modify etc) The UID is
+ meant to track the round trip (request/response) between
+ the KAS and the WebHook, not the user request. It is
+ suitable for correlating log entries between the webhook
+ and apiserver, for either auditing or debugging.
+ type: string
+ userInfo:
+ description: UserInfo is information about the requesting
+ user
+ properties:
+ extra:
+ additionalProperties:
+ description: ExtraValue masks the value so protobuf
+ can generate
+ items:
+ type: string
+ type: array
+ description: Any additional information provided by
+ the authenticator.
+ type: object
+ groups:
+ description: The names of groups this user is a part
+ of.
+ items:
+ type: string
+ type: array
+ uid:
+ description: A unique value that identifies this user
+ across time. If this user is deleted and another
+ user by the same name is added, they will have different
+ UIDs.
+ type: string
+ username:
+ description: The name that uniquely identifies this
+ user among all active users.
+ type: string
+ type: object
+ required:
+ - kind
+ - operation
+ - resource
+ - uid
+ - userInfo
+ type: object
operation:
description: Operation is the type of resource operation being
checked for admission control
@@ -193,9 +383,3 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
index 4bb6b60006..990c4e9f23 100644
--- a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
+++ b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
@@ -354,9 +354,3 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/crds/wgpolicyk8s.io_policyreports.yaml b/config/crds/wgpolicyk8s.io_policyreports.yaml
index 099c5610a5..e5b1c792ae 100644
--- a/config/crds/wgpolicyk8s.io_policyreports.yaml
+++ b/config/crds/wgpolicyk8s.io_policyreports.yaml
@@ -353,9 +353,3 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/config/install.yaml b/config/install.yaml
index 23fc55b94c..e8e45733cc 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -2578,12 +2578,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -2946,12 +2940,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -3314,12 +3302,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -3510,12 +3492,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6087,12 +6063,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6454,12 +6424,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6822,12 +6786,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6904,7 +6862,197 @@ spec:
and operation details
properties:
admissionRequest:
- type: string
+ description: AdmissionRequest describes the admission.Attributes
+ for the admission request.
+ properties:
+ dryRun:
+ description: DryRun indicates that modifications will
+ definitely not be persisted for this request. Defaults
+ to false.
+ type: boolean
+ kind:
+ description: Kind is the fully-qualified type of object
+ being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ name:
+ description: Name is the name of the object as presented
+ in the request. On a CREATE operation, the client may
+ omit name and rely on the server to generate the name. If
+ that is the case, this field will contain an empty string.
+ type: string
+ namespace:
+ description: Namespace is the namespace associated with
+ the request (if any).
+ type: string
+ object:
+ description: Object is the object from the incoming request.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ oldObject:
+ description: OldObject is the existing object. Only populated
+ for DELETE and UPDATE requests.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ operation:
+ description: Operation is the operation being performed.
+ This may be different than the operation requested.
+ e.g. a patch can result in either a CREATE or UPDATE
+ Operation.
+ type: string
+ options:
+ description: Options is the operation option structure
+ of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
+ or `meta.k8s.io/v1.CreateOptions`. This may be different
+ than the options the caller provided. e.g. for a patch
+ request the performed Operation might be a CREATE, in
+ which case the Options will a `meta.k8s.io/v1.CreateOptions`
+ even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ requestKind:
+ description: "RequestKind is the fully-qualified type
+ of the original API request (for example, v1.Pod or
+ autoscaling.v1.Scale). If this is specified and differs
+ from the value in \"kind\", an equivalent match and
+ conversion was performed. \n For example, if deployments
+ can be modified via apps/v1 and apps/v1beta1, and a
+ webhook registered a rule of `apiGroups:[\"apps\"],
+ apiVersions:[\"v1\"], resources: [\"deployments\"]`
+ and `matchPolicy: Equivalent`, an API request to apps/v1beta1
+ deployments would be converted and sent to the webhook
+ with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
+ (matching the rule the webhook registered for), and
+ `requestKind: {group:\"apps\", version:\"v1beta1\",
+ kind:\"Deployment\"}` (indicating the kind of the original
+ API request). \n See documentation for the \"matchPolicy\"
+ field in the webhook configuration type for more details."
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ requestResource:
+ description: "RequestResource is the fully-qualified resource
+ of the original API request (for example, v1.pods).
+ If this is specified and differs from the value in \"resource\",
+ an equivalent match and conversion was performed. \n
+ For example, if deployments can be modified via apps/v1
+ and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
+ [\"deployments\"]` and `matchPolicy: Equivalent`, an
+ API request to apps/v1beta1 deployments would be converted
+ and sent to the webhook with `resource: {group:\"apps\",
+ version:\"v1\", resource:\"deployments\"}` (matching
+ the resource the webhook registered for), and `requestResource:
+ {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
+ (indicating the resource of the original API request).
+ \n See documentation for the \"matchPolicy\" field in
+ the webhook configuration type."
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ requestSubResource:
+ description: RequestSubResource is the name of the subresource
+ of the original API request, if any (for example, "status"
+ or "scale") If this is specified and differs from the
+ value in "subResource", an equivalent match and conversion
+ was performed. See documentation for the "matchPolicy"
+ field in the webhook configuration type.
+ type: string
+ resource:
+ description: Resource is the fully-qualified resource
+ being requested (for example, v1.pods)
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ subResource:
+ description: SubResource is the subresource being requested,
+ if any (for example, "status" or "scale")
+ type: string
+ uid:
+ description: UID is an identifier for the individual request/response.
+ It allows us to distinguish instances of requests which
+ are otherwise identical (parallel requests, requests
+ when earlier requests did not modify etc) The UID is
+ meant to track the round trip (request/response) between
+ the KAS and the WebHook, not the user request. It is
+ suitable for correlating log entries between the webhook
+ and apiserver, for either auditing or debugging.
+ type: string
+ userInfo:
+ description: UserInfo is information about the requesting
+ user
+ properties:
+ extra:
+ additionalProperties:
+ description: ExtraValue masks the value so protobuf
+ can generate
+ items:
+ type: string
+ type: array
+ description: Any additional information provided by
+ the authenticator.
+ type: object
+ groups:
+ description: The names of groups this user is a part
+ of.
+ items:
+ type: string
+ type: array
+ uid:
+ description: A unique value that identifies this user
+ across time. If this user is deleted and another
+ user by the same name is added, they will have different
+ UIDs.
+ type: string
+ username:
+ description: The name that uniquely identifies this
+ user among all active users.
+ type: string
+ type: object
+ required:
+ - kind
+ - operation
+ - resource
+ - uid
+ - userInfo
+ type: object
operation:
description: Operation is the type of resource operation being
checked for admission control
@@ -7029,12 +7177,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index 3ce071292b..eb252329a8 100755
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -2576,12 +2576,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -2943,12 +2937,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -3310,12 +3298,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -3505,12 +3487,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6081,12 +6057,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6447,12 +6417,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6814,12 +6778,6 @@ spec:
served: true
storage: true
subresources: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -6895,7 +6853,197 @@ spec:
and operation details
properties:
admissionRequest:
- type: string
+ description: AdmissionRequest describes the admission.Attributes
+ for the admission request.
+ properties:
+ dryRun:
+ description: DryRun indicates that modifications will
+ definitely not be persisted for this request. Defaults
+ to false.
+ type: boolean
+ kind:
+ description: Kind is the fully-qualified type of object
+ being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ name:
+ description: Name is the name of the object as presented
+ in the request. On a CREATE operation, the client may
+ omit name and rely on the server to generate the name. If
+ that is the case, this field will contain an empty string.
+ type: string
+ namespace:
+ description: Namespace is the namespace associated with
+ the request (if any).
+ type: string
+ object:
+ description: Object is the object from the incoming request.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ oldObject:
+ description: OldObject is the existing object. Only populated
+ for DELETE and UPDATE requests.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ operation:
+ description: Operation is the operation being performed.
+ This may be different than the operation requested.
+ e.g. a patch can result in either a CREATE or UPDATE
+ Operation.
+ type: string
+ options:
+ description: Options is the operation option structure
+ of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
+ or `meta.k8s.io/v1.CreateOptions`. This may be different
+ than the options the caller provided. e.g. for a patch
+ request the performed Operation might be a CREATE, in
+ which case the Options will a `meta.k8s.io/v1.CreateOptions`
+ even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ requestKind:
+ description: "RequestKind is the fully-qualified type
+ of the original API request (for example, v1.Pod or
+ autoscaling.v1.Scale). If this is specified and differs
+ from the value in \"kind\", an equivalent match and
+ conversion was performed. \n For example, if deployments
+ can be modified via apps/v1 and apps/v1beta1, and a
+ webhook registered a rule of `apiGroups:[\"apps\"],
+ apiVersions:[\"v1\"], resources: [\"deployments\"]`
+ and `matchPolicy: Equivalent`, an API request to apps/v1beta1
+ deployments would be converted and sent to the webhook
+ with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
+ (matching the rule the webhook registered for), and
+ `requestKind: {group:\"apps\", version:\"v1beta1\",
+ kind:\"Deployment\"}` (indicating the kind of the original
+ API request). \n See documentation for the \"matchPolicy\"
+ field in the webhook configuration type for more details."
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - kind
+ - version
+ type: object
+ requestResource:
+ description: "RequestResource is the fully-qualified resource
+ of the original API request (for example, v1.pods).
+ If this is specified and differs from the value in \"resource\",
+ an equivalent match and conversion was performed. \n
+ For example, if deployments can be modified via apps/v1
+ and apps/v1beta1, and a webhook registered a rule of
+ `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
+ [\"deployments\"]` and `matchPolicy: Equivalent`, an
+ API request to apps/v1beta1 deployments would be converted
+ and sent to the webhook with `resource: {group:\"apps\",
+ version:\"v1\", resource:\"deployments\"}` (matching
+ the resource the webhook registered for), and `requestResource:
+ {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
+ (indicating the resource of the original API request).
+ \n See documentation for the \"matchPolicy\" field in
+ the webhook configuration type."
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ requestSubResource:
+ description: RequestSubResource is the name of the subresource
+ of the original API request, if any (for example, "status"
+ or "scale") If this is specified and differs from the
+ value in "subResource", an equivalent match and conversion
+ was performed. See documentation for the "matchPolicy"
+ field in the webhook configuration type.
+ type: string
+ resource:
+ description: Resource is the fully-qualified resource
+ being requested (for example, v1.pods)
+ properties:
+ group:
+ type: string
+ resource:
+ type: string
+ version:
+ type: string
+ required:
+ - group
+ - resource
+ - version
+ type: object
+ subResource:
+ description: SubResource is the subresource being requested,
+ if any (for example, "status" or "scale")
+ type: string
+ uid:
+ description: UID is an identifier for the individual request/response.
+ It allows us to distinguish instances of requests which
+ are otherwise identical (parallel requests, requests
+ when earlier requests did not modify etc) The UID is
+ meant to track the round trip (request/response) between
+ the KAS and the WebHook, not the user request. It is
+ suitable for correlating log entries between the webhook
+ and apiserver, for either auditing or debugging.
+ type: string
+ userInfo:
+ description: UserInfo is information about the requesting
+ user
+ properties:
+ extra:
+ additionalProperties:
+ description: ExtraValue masks the value so protobuf
+ can generate
+ items:
+ type: string
+ type: array
+ description: Any additional information provided by
+ the authenticator.
+ type: object
+ groups:
+ description: The names of groups this user is a part
+ of.
+ items:
+ type: string
+ type: array
+ uid:
+ description: A unique value that identifies this user
+ across time. If this user is deleted and another
+ user by the same name is added, they will have different
+ UIDs.
+ type: string
+ username:
+ description: The name that uniquely identifies this
+ user among all active users.
+ type: string
+ type: object
+ required:
+ - kind
+ - operation
+ - resource
+ - uid
+ - userInfo
+ type: object
operation:
description: Operation is the type of resource operation being
checked for admission control
@@ -7020,12 +7168,6 @@ spec:
storage: true
subresources:
status: {}
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
---
apiVersion: v1
kind: ServiceAccount
diff --git a/docs/crd/v1beta1/index.html b/docs/crd/v1beta1/index.html
index 17acd87331..98eb3dfaff 100644
--- a/docs/crd/v1beta1/index.html
+++ b/docs/crd/v1beta1/index.html
@@ -178,7 +178,9 @@ UpdateRequestStatus
admissionRequest
-string
+
+Kubernetes admission/v1.AdmissionRequest
+
|
diff --git a/pkg/background/common/context.go b/pkg/background/common/context.go
index 5a2a2bb1ca..81e5bdb2eb 100644
--- a/pkg/background/common/context.go
+++ b/pkg/background/common/context.go
@@ -1,7 +1,6 @@
package common
import (
- "encoding/json"
"fmt"
"reflect"
@@ -14,7 +13,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/context"
utils "github.com/kyverno/kyverno/pkg/utils"
"github.com/pkg/errors"
- admissionv1 "k8s.io/api/admission/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@@ -26,21 +24,15 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
logger logr.Logger,
) (*engine.PolicyContext, bool, error) {
ctx := context.NewContext()
- requestString := ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest
- var request admissionv1.AdmissionRequest
var new, old unstructured.Unstructured
+ var err error
- if requestString != "" {
- err := json.Unmarshal([]byte(requestString), &request)
- if err != nil {
- return nil, false, errors.Wrap(err, "error parsing the request string")
- }
-
- if err := ctx.AddRequest(&request); err != nil {
+ if ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest != nil {
+ if err := ctx.AddRequest(ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest); err != nil {
return nil, false, errors.Wrap(err, "failed to load request in context")
}
- new, old, err = utils.ExtractResources(nil, &request)
+ new, old, err = utils.ExtractResources(nil, ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load request in context")
}
@@ -61,7 +53,7 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
return nil, false, errors.New("trigger resource does not exist")
}
- err := ctx.AddResource(trigger.Object)
+ err = ctx.AddResource(trigger.Object)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load resource in context")
}
diff --git a/pkg/webhooks/resource/utils.go b/pkg/webhooks/resource/utils.go
index 8b73e536cc..6dca7ffb6f 100644
--- a/pkg/webhooks/resource/utils.go
+++ b/pkg/webhooks/resource/utils.go
@@ -5,7 +5,6 @@ import (
"fmt"
"strings"
- "github.com/gardener/controller-manager-library/pkg/logger"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
@@ -318,12 +317,8 @@ func stripNonPolicyFields(obj, newRes map[string]interface{}, logger logr.Logger
func applyUpdateRequest(request *admissionv1.AdmissionRequest, ruleType kyvernov1beta1.RequestType, grGenerator updaterequest.Generator, userRequestInfo kyvernov1beta1.RequestInfo,
action admissionv1.Operation, engineResponses ...*response.EngineResponse,
) (failedUpdateRequest []updateRequestResponse) {
- requestBytes, err := json.Marshal(request)
- if err != nil {
- logger.Error(err, "error loading request into context")
- }
admissionRequestInfo := kyvernov1beta1.AdmissionRequestInfoObject{
- AdmissionRequest: string(requestBytes),
+ AdmissionRequest: request,
Operation: action,
}
|