diff --git a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go
index 231c3874c5..3a36808500 100644
--- a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go
+++ b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go
@@ -89,35 +89,25 @@ type ValidatingPolicySpec struct {
// +optional
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`
- // Admission controls if rules are applied during admission.
- // Optional. Default value is "true".
+ // EvaluationConfiguration defines the configuration for the policy evaluation.
// +optional
- // +kubebuilder:default=true
- Admission *bool `json:"admission,omitempty"`
-
- // Background controls if rules are applied to existing resources during a background scan.
- // Optional. Default value is "true". The value must be set to "false" if the policy rule
- // uses variables that are only available in the admission review request (e.g. user name).
- // +optional
- // +kubebuilder:default=true
- Background *bool `json:"background,omitempty"`
+ EvaluationConfiguration *EvaluationConfiguration `json:"evaluationConfiguration,omitempty"`
}
// AdmissionEnabled checks if admission is set to true
func (s ValidatingPolicySpec) AdmissionEnabled() bool {
- if s.Admission == nil {
+ if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Admission == nil || s.EvaluationConfiguration.Admission.Enabled == nil {
return true
}
-
- return *s.Admission
+ return *s.EvaluationConfiguration.Admission.Enabled
}
// BackgroundEnabled checks if background is set to true
func (s ValidatingPolicySpec) BackgroundEnabled() bool {
- if s.Background == nil {
+ if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Background == nil || s.EvaluationConfiguration.Background.Enabled == nil {
return true
}
- return *s.Background
+ return *s.EvaluationConfiguration.Background.Enabled
}
type WebhookConfiguration struct {
@@ -126,3 +116,30 @@ type WebhookConfiguration struct {
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}
+
+type EvaluationConfiguration struct {
+ // Admission controls policy evaluation during admission.
+ // +optional
+ Admission *AdmissionConfiguration `json:"admission,omitempty"`
+
+ // Background controls policy evaluation during background scan.
+ // +optional
+ Background *BackgroundConfiguration `json:"background,omitempty"`
+}
+
+type AdmissionConfiguration struct {
+ // Enabled controls if rules are applied during admission.
+ // Optional. Default value is "true".
+ // +optional
+ // +kubebuilder:default=true
+ Enabled *bool `json:"enabled,omitempty"`
+}
+
+type BackgroundConfiguration struct {
+ // Enabled controls if rules are applied to existing resources during a background scan.
+ // Optional. Default value is "true". The value must be set to "false" if the policy rule
+ // uses variables that are only available in the admission review request (e.g. user name).
+ // +optional
+ // +kubebuilder:default=true
+ Enabled *bool `json:"enabled,omitempty"`
+}
diff --git a/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go b/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go
index c769ebb3b9..c0ef60881e 100644
--- a/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go
+++ b/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go
@@ -20,7 +20,11 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
name: "true",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
- Admission: ptr.To(true),
+ EvaluationConfiguration: &EvaluationConfiguration{
+ Admission: &AdmissionConfiguration{
+ Enabled: ptr.To(true),
+ },
+ },
},
},
want: true,
@@ -28,12 +32,15 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
name: "false",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
- Admission: ptr.To(false),
+ EvaluationConfiguration: &EvaluationConfiguration{
+ Admission: &AdmissionConfiguration{
+ Enabled: ptr.To(false),
+ },
+ },
},
},
want: false,
- },
- }
+ }}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := tt.policy.Spec.AdmissionEnabled()
@@ -55,7 +62,11 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
name: "true",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
- Background: ptr.To(true),
+ EvaluationConfiguration: &EvaluationConfiguration{
+ Background: &BackgroundConfiguration{
+ Enabled: ptr.To(true),
+ },
+ },
},
},
want: true,
@@ -63,12 +74,15 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
name: "false",
policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{
- Background: ptr.To(false),
+ EvaluationConfiguration: &EvaluationConfiguration{
+ Background: &BackgroundConfiguration{
+ Enabled: ptr.To(false),
+ },
+ },
},
},
want: false,
- },
- }
+ }}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := tt.policy.Spec.BackgroundEnabled()
diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
index 37031d3eb3..33a5ddf930 100644
--- a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
+++ b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
@@ -28,6 +28,27 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionConfiguration) DeepCopyInto(out *AdmissionConfiguration) {
+ *out = *in
+ if in.Enabled != nil {
+ in, out := &in.Enabled, &out.Enabled
+ *out = new(bool)
+ **out = **in
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfiguration.
+func (in *AdmissionConfiguration) DeepCopy() *AdmissionConfiguration {
+ if in == nil {
+ return nil
+ }
+ out := new(AdmissionConfiguration)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Attestation) DeepCopyInto(out *Attestation) {
*out = *in
@@ -146,6 +167,27 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackgroundConfiguration) DeepCopyInto(out *BackgroundConfiguration) {
+ *out = *in
+ if in.Enabled != nil {
+ in, out := &in.Enabled, &out.Enabled
+ *out = new(bool)
+ **out = **in
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundConfiguration.
+func (in *BackgroundConfiguration) DeepCopy() *BackgroundConfiguration {
+ if in == nil {
+ return nil
+ }
+ out := new(BackgroundConfiguration)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
*out = *in
@@ -343,6 +385,32 @@ func (in *Credentials) DeepCopy() *Credentials {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EvaluationConfiguration) DeepCopyInto(out *EvaluationConfiguration) {
+ *out = *in
+ if in.Admission != nil {
+ in, out := &in.Admission, &out.Admission
+ *out = new(AdmissionConfiguration)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.Background != nil {
+ in, out := &in.Background, &out.Background
+ *out = new(BackgroundConfiguration)
+ (*in).DeepCopyInto(*out)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationConfiguration.
+func (in *EvaluationConfiguration) DeepCopy() *EvaluationConfiguration {
+ if in == nil {
+ return nil
+ }
+ out := new(EvaluationConfiguration)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Identity) DeepCopyInto(out *Identity) {
*out = *in
@@ -931,15 +999,10 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
*out = new(WebhookConfiguration)
(*in).DeepCopyInto(*out)
}
- if in.Admission != nil {
- in, out := &in.Admission, &out.Admission
- *out = new(bool)
- **out = **in
- }
- if in.Background != nil {
- in, out := &in.Background, &out.Background
- *out = new(bool)
- **out = **in
+ if in.EvaluationConfiguration != nil {
+ in, out := &in.EvaluationConfiguration, &out.EvaluationConfiguration
+ *out = new(EvaluationConfiguration)
+ (*in).DeepCopyInto(*out)
}
return
}
diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index 3ad7969bcf..a5ba9e817e 100644
--- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -56,12 +56,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
- admission:
- default: true
- description: |-
- Admission controls if rules are applied during admission.
- Optional. Default value is "true".
- type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@@ -114,13 +108,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
- background:
- default: true
- description: |-
- Background controls if rules are applied to existing resources during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
+ evaluationConfiguration:
+ description: EvaluationConfiguration defines the configuration for
+ the policy evaluation.
+ properties:
+ admission:
+ description: Admission controls policy evaluation during admission.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied during admission.
+ Optional. Default value is "true".
+ type: boolean
+ type: object
+ background:
+ description: Background controls policy evaluation during background
+ scan.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
+ type: boolean
+ type: object
+ type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can
diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
index 572badb4d6..2459190255 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
@@ -50,12 +50,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
- admission:
- default: true
- description: |-
- Admission controls if rules are applied during admission.
- Optional. Default value is "true".
- type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@@ -108,13 +102,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
- background:
- default: true
- description: |-
- Background controls if rules are applied to existing resources during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
+ evaluationConfiguration:
+ description: EvaluationConfiguration defines the configuration for
+ the policy evaluation.
+ properties:
+ admission:
+ description: Admission controls policy evaluation during admission.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied during admission.
+ Optional. Default value is "true".
+ type: boolean
+ type: object
+ background:
+ description: Background controls policy evaluation during background
+ scan.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
+ type: boolean
+ type: object
+ type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can
diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
index 572badb4d6..2459190255 100644
--- a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
@@ -50,12 +50,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
- admission:
- default: true
- description: |-
- Admission controls if rules are applied during admission.
- Optional. Default value is "true".
- type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@@ -108,13 +102,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
- background:
- default: true
- description: |-
- Background controls if rules are applied to existing resources during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
+ evaluationConfiguration:
+ description: EvaluationConfiguration defines the configuration for
+ the policy evaluation.
+ properties:
+ admission:
+ description: Admission controls policy evaluation during admission.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied during admission.
+ Optional. Default value is "true".
+ type: boolean
+ type: object
+ background:
+ description: Background controls policy evaluation during background
+ scan.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
+ type: boolean
+ type: object
+ type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 36757e4117..7ef8eb3d73 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -48598,12 +48598,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy.
properties:
- admission:
- default: true
- description: |-
- Admission controls if rules are applied during admission.
- Optional. Default value is "true".
- type: boolean
auditAnnotations:
description: |-
auditAnnotations contains CEL expressions which are used to produce audit
@@ -48656,13 +48650,33 @@ spec:
type: object
type: array
x-kubernetes-list-type: atomic
- background:
- default: true
- description: |-
- Background controls if rules are applied to existing resources during a background scan.
- Optional. Default value is "true". The value must be set to "false" if the policy rule
- uses variables that are only available in the admission review request (e.g. user name).
- type: boolean
+ evaluationConfiguration:
+ description: EvaluationConfiguration defines the configuration for
+ the policy evaluation.
+ properties:
+ admission:
+ description: Admission controls policy evaluation during admission.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied during admission.
+ Optional. Default value is "true".
+ type: boolean
+ type: object
+ background:
+ description: Background controls policy evaluation during background
+ scan.
+ properties:
+ enabled:
+ default: true
+ description: |-
+ Enabled controls if rules are applied to existing resources during a background scan.
+ Optional. Default value is "true". The value must be set to "false" if the policy rule
+ uses variables that are only available in the admission review request (e.g. user name).
+ type: boolean
+ type: object
+ type: object
failurePolicy:
description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index 1f75e8cd06..e88612399c 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -10840,29 +10840,16 @@ WebhookConfiguration
-admission
+evaluationConfiguration
-bool
+
+EvaluationConfiguration
+
|
(Optional)
- Admission controls if rules are applied during admission.
-Optional. Default value is “true”.
- |
-
-
-
-background
-
-bool
-
- |
-
-(Optional)
- Background controls if rules are applied to existing resources during a background scan.
-Optional. Default value is “true”. The value must be set to “false” if the policy rule
-uses variables that are only available in the admission review request (e.g. user name).
+EvaluationConfiguration defines the configuration for the policy evaluation.
|
@@ -10885,6 +10872,38 @@ PolicyStatus
+AdmissionConfiguration
+
+
+(Appears on:
+EvaluationConfiguration)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+enabled
+
+bool
+
+ |
+
+(Optional)
+ Enabled controls if rules are applied during admission.
+Optional. Default value is “true”.
+ |
+
+
+
+
Attestation
@@ -11115,6 +11134,39 @@ Kubernetes admissionregistration/v1.MatchResources
+BackgroundConfiguration
+
+
+(Appears on:
+EvaluationConfiguration)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+enabled
+
+bool
+
+ |
+
+(Optional)
+ Enabled controls if rules are applied to existing resources during a background scan.
+Optional. Default value is “true”. The value must be set to “false” if the policy rule
+uses variables that are only available in the admission review request (e.g. user name).
+ |
+
+
+
+
CELPolicyExceptionSpec
@@ -11490,6 +11542,53 @@ Secrets must live in the Kyverno namespace.
CredentialsProvidersType provides the list of credential providers required.
+EvaluationConfiguration
+
+
+(Appears on:
+ValidatingPolicySpec)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+admission
+
+
+AdmissionConfiguration
+
+
+ |
+
+(Optional)
+ Admission controls policy evaluation during admission.
+ |
+
+
+
+background
+
+
+BackgroundConfiguration
+
+
+ |
+
+(Optional)
+ Background controls policy evaluation during background scan.
+ |
+
+
+
+
GenericPolicy
@@ -12607,29 +12706,16 @@ WebhookConfiguration
-admission
+evaluationConfiguration
-bool
+
+EvaluationConfiguration
+
|
(Optional)
- Admission controls if rules are applied during admission.
-Optional. Default value is “true”.
- |
-
-
-
-background
-
-bool
-
- |
-
-(Optional)
- Background controls if rules are applied to existing resources during a background scan.
-Optional. Default value is “true”. The value must be set to “false” if the policy rule
-uses variables that are only available in the admission review request (e.g. user name).
+EvaluationConfiguration defines the configuration for the policy evaluation.
|
diff --git a/pkg/cel/policy/filter_test.go b/pkg/cel/policy/filter_test.go
new file mode 100644
index 0000000000..aef78c9145
--- /dev/null
+++ b/pkg/cel/policy/filter_test.go
@@ -0,0 +1,62 @@
+package policy
+
+import (
+ "testing"
+
+ "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+ "github.com/stretchr/testify/assert"
+ "k8s.io/utils/ptr"
+)
+
+func TestRemoveNoneBackgroundPolicies(t *testing.T) {
+ yes := v1alpha1.ValidatingPolicy{
+ Spec: v1alpha1.ValidatingPolicySpec{
+ EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
+ Background: &v1alpha1.BackgroundConfiguration{
+ Enabled: ptr.To(true),
+ },
+ },
+ },
+ }
+ no := v1alpha1.ValidatingPolicy{
+ Spec: v1alpha1.ValidatingPolicySpec{
+ EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
+ Background: &v1alpha1.BackgroundConfiguration{
+ Enabled: ptr.To(false),
+ },
+ },
+ },
+ }
+ tests := []struct {
+ name string
+ policies []v1alpha1.ValidatingPolicy
+ want []v1alpha1.ValidatingPolicy
+ }{{
+ name: "nil",
+ policies: nil,
+ want: []v1alpha1.ValidatingPolicy{},
+ }, {
+ name: "empty",
+ policies: []v1alpha1.ValidatingPolicy{},
+ want: []v1alpha1.ValidatingPolicy{},
+ }, {
+ name: "only no",
+ policies: []v1alpha1.ValidatingPolicy{no},
+ want: []v1alpha1.ValidatingPolicy{},
+ }, {
+ name: "only yes",
+ policies: []v1alpha1.ValidatingPolicy{yes},
+ want: []v1alpha1.ValidatingPolicy{yes},
+ }, {
+ name: "both",
+ policies: []v1alpha1.ValidatingPolicy{yes, no},
+ want: []v1alpha1.ValidatingPolicy{yes},
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ got := RemoveNoneBackgroundPolicies(tt.policies)
+ assert.Equal(t, tt.want, got)
+ })
+ }
+}
diff --git a/pkg/utils/slices/filter.go b/pkg/utils/slices/filter.go
index ba465d53e8..e07d76dc41 100644
--- a/pkg/utils/slices/filter.go
+++ b/pkg/utils/slices/filter.go
@@ -7,6 +7,5 @@ func Filter[T any](list []T, filter func(T) bool) []T {
filtered = append(filtered, item)
}
}
-
return filtered
}