mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00
Code Activity

feat: improve validating policy api (#12243)

Browse source 
* feat: improve validating policy api

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2025-02-26 16:18:12 +01:00 committed by GitHub
parent 7a34b60ed2
commit ebaad6fbb1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 419 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
api/policies.kyverno.io/v1alpha1/validating_spec_types.go
View file

@ -89,35 +89,25 @@ type ValidatingPolicySpec struct {
// +optional
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`
// Admission controls if rules are applied during admission.
// Optional. Default value is "true".
// EvaluationConfiguration defines the configuration for the policy evaluation.
// +optional
// +kubebuilder:default=true
Admission *bool `json:"admission,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
// +optional
// +kubebuilder:default=true
Background *bool `json:"background,omitempty"`
EvaluationConfiguration *EvaluationConfiguration `json:"evaluationConfiguration,omitempty"`
}
// AdmissionEnabled checks if admission is set to true
func (s ValidatingPolicySpec) AdmissionEnabled() bool {
if s.Admission == nil {
if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Admission == nil || s.EvaluationConfiguration.Admission.Enabled == nil {
return true
}
return *s.Admission
return *s.EvaluationConfiguration.Admission.Enabled
}
// BackgroundEnabled checks if background is set to true
func (s ValidatingPolicySpec) BackgroundEnabled() bool {
if s.Background == nil {
if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Background == nil || s.EvaluationConfiguration.Background.Enabled == nil {
return true
}
return *s.Background
return *s.EvaluationConfiguration.Background.Enabled
}
type WebhookConfiguration struct {
@ -126,3 +116,30 @@ type WebhookConfiguration struct {
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}
type EvaluationConfiguration struct {
// Admission controls policy evaluation during admission.
// +optional
Admission *AdmissionConfiguration `json:"admission,omitempty"`
// Background controls policy evaluation during background scan.
// +optional
Background *BackgroundConfiguration `json:"background,omitempty"`
}
type AdmissionConfiguration struct {
// Enabled controls if rules are applied during admission.
// Optional. Default value is "true".
// +optional
// +kubebuilder:default=true
Enabled *bool `json:"enabled,omitempty"`
}
type BackgroundConfiguration struct {
// Enabled controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
// +optional
// +kubebuilder:default=true
Enabled *bool `json:"enabled,omitempty"`
}

30
api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go
View file

@ -20,7 +20,11 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
name: "true",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
Admission: ptr.To(true),
EvaluationConfiguration: &EvaluationConfiguration{
Admission: &AdmissionConfiguration{
Enabled: ptr.To(true),
},
},
},
},
want: true,
@ -28,12 +32,15 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
name: "false",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
Admission: ptr.To(false),
EvaluationConfiguration: &EvaluationConfiguration{
Admission: &AdmissionConfiguration{
Enabled: ptr.To(false),
},
},
},
},
want: false,
},
}
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := tt.policy.Spec.AdmissionEnabled()
@ -55,7 +62,11 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
name: "true",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
Background: ptr.To(true),
EvaluationConfiguration: &EvaluationConfiguration{
Background: &BackgroundConfiguration{
Enabled: ptr.To(true),
},
},
},
},
want: true,
@ -63,12 +74,15 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
name: "false",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
Background: ptr.To(false),
EvaluationConfiguration: &EvaluationConfiguration{
Background: &BackgroundConfiguration{
Enabled: ptr.To(false),
},
},
},
},
want: false,
},
}
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := tt.policy.Spec.BackgroundEnabled()

81
api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
View file

@ -28,6 +28,27 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AdmissionConfiguration) DeepCopyInto(out *AdmissionConfiguration) {
*out = *in
if in.Enabled != nil {
in, out := &in.Enabled, &out.Enabled
*out = new(bool)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfiguration.
func (in *AdmissionConfiguration) DeepCopy() *AdmissionConfiguration {
if in == nil {
return nil
}
out := new(AdmissionConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Attestation) DeepCopyInto(out *Attestation) {
*out = *in
@ -146,6 +167,27 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BackgroundConfiguration) DeepCopyInto(out *BackgroundConfiguration) {
*out = *in
if in.Enabled != nil {
in, out := &in.Enabled, &out.Enabled
*out = new(bool)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundConfiguration.
func (in *BackgroundConfiguration) DeepCopy() *BackgroundConfiguration {
if in == nil {
return nil
}
out := new(BackgroundConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
*out = *in
@ -343,6 +385,32 @@ func (in *Credentials) DeepCopy() *Credentials {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *EvaluationConfiguration) DeepCopyInto(out *EvaluationConfiguration) {
*out = *in
if in.Admission != nil {
in, out := &in.Admission, &out.Admission
*out = new(AdmissionConfiguration)
(*in).DeepCopyInto(*out)
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(BackgroundConfiguration)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationConfiguration.
func (in *EvaluationConfiguration) DeepCopy() *EvaluationConfiguration {
if in == nil {
return nil
}
out := new(EvaluationConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Identity) DeepCopyInto(out *Identity) {
*out = *in
@ -931,15 +999,10 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
*out = new(WebhookConfiguration)
(*in).DeepCopyInto(*out)
}
if in.Admission != nil {
in, out := &in.Admission, &out.Admission
*out = new(bool)
**out = **in
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(bool)
**out = **in
if in.EvaluationConfiguration != nil {
in, out := &in.EvaluationConfiguration, &out.EvaluationConfiguration
*out = new(EvaluationConfiguration)
(*in).DeepCopyInto(*out)
}
return
}

40
charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -56,12 +56,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@ -114,13 +108,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
background:
default: true
description: |-
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
evaluationConfiguration:
description: EvaluationConfiguration defines the configuration for
the policy evaluation.
properties:
admission:
description: Admission controls policy evaluation during admission.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can

40
cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
View file

@ -50,12 +50,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@ -108,13 +102,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
background:
default: true
description: |-
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
evaluationConfiguration:
description: EvaluationConfiguration defines the configuration for
the policy evaluation.
properties:
admission:
description: Admission controls policy evaluation during admission.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can

40
config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -50,12 +50,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@ -108,13 +102,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
background:
default: true
description: |-
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
evaluationConfiguration:
description: EvaluationConfiguration defines the configuration for
the policy evaluation.
properties:
admission:
description: Admission controls policy evaluation during admission.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can

40
config/install-latest-testing.yaml
View file

@ -48598,12 +48598,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@ -48656,13 +48650,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
background:
default: true
description: |-
Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
evaluationConfiguration:
description: EvaluationConfiguration defines the configuration for
the policy evaluation.
properties:
admission:
description: Admission controls policy evaluation during admission.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can

158
docs/user/crd/index.html
View file

@ -10840,29 +10840,16 @@ WebhookConfiguration
</tr>
<tr>
<td>
<code>admission</code><br/>
<code>evaluationConfiguration</code><br/>
<em>
bool
<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">
EvaluationConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
<p>EvaluationConfiguration defines the configuration for the policy evaluation.</p>
</td>
</tr>
</table>
@ -10885,6 +10872,38 @@ PolicyStatus
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.AdmissionConfiguration">AdmissionConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>enabled</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Enabled controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.Attestation">Attestation
</h3>
<p>
@ -11115,6 +11134,39 @@ Kubernetes admissionregistration/v1.MatchResources
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.BackgroundConfiguration">BackgroundConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>enabled</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec
</h3>
<p>
@ -11490,6 +11542,53 @@ Secrets must live in the Kyverno namespace.</p>
<p>
<p>CredentialsProvidersType provides the list of credential providers required.</p>
</p>
<h3 id="policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.ValidatingPolicySpec">ValidatingPolicySpec</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>admission</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.AdmissionConfiguration">
AdmissionConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls policy evaluation during admission.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.BackgroundConfiguration">
BackgroundConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Background controls policy evaluation during background scan.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.GenericPolicy">GenericPolicy
</h3>
<p>
@ -12607,29 +12706,16 @@ WebhookConfiguration
</tr>
<tr>
<td>
<code>admission</code><br/>
<code>evaluationConfiguration</code><br/>
<em>
bool
<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">
EvaluationConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
<p>EvaluationConfiguration defines the configuration for the policy evaluation.</p>
</td>
</tr>
</tbody>

62
pkg/cel/policy/filter_test.go Normal file
View file

@ -0,0 +1,62 @@
package policy
import (
"testing"
"github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/stretchr/testify/assert"
"k8s.io/utils/ptr"
)
func TestRemoveNoneBackgroundPolicies(t *testing.T) {
yes := v1alpha1.ValidatingPolicy{
Spec: v1alpha1.ValidatingPolicySpec{
EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
Background: &v1alpha1.BackgroundConfiguration{
Enabled: ptr.To(true),
},
},
},
}
no := v1alpha1.ValidatingPolicy{
Spec: v1alpha1.ValidatingPolicySpec{
EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
Background: &v1alpha1.BackgroundConfiguration{
Enabled: ptr.To(false),
},
},
},
}
tests := []struct {
name string
policies []v1alpha1.ValidatingPolicy
want []v1alpha1.ValidatingPolicy
}{{
name: "nil",
policies: nil,
want: []v1alpha1.ValidatingPolicy{},
}, {
name: "empty",
policies: []v1alpha1.ValidatingPolicy{},
want: []v1alpha1.ValidatingPolicy{},
}, {
name: "only no",
policies: []v1alpha1.ValidatingPolicy{no},
want: []v1alpha1.ValidatingPolicy{},
}, {
name: "only yes",
policies: []v1alpha1.ValidatingPolicy{yes},
want: []v1alpha1.ValidatingPolicy{yes},
}, {
name: "both",
policies: []v1alpha1.ValidatingPolicy{yes, no},
want: []v1alpha1.ValidatingPolicy{yes},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := RemoveNoneBackgroundPolicies(tt.policies)
assert.Equal(t, tt.want, got)
})
}
}

1
pkg/utils/slices/filter.go
View file

@ -7,6 +7,5 @@ func Filter[T any](list []T, filter func(T) bool) []T {
filtered = append(filtered, item)
}
}
return filtered
}