From ebaad6fbb178925e0d95f22437bb6cc54af8a771 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 26 Feb 2025 16:18:12 +0100 Subject: [PATCH] feat: improve validating policy api (#12243) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: improve validating policy api Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché Co-authored-by: shuting --- .../v1alpha1/validating_spec_types.go | 49 ++++-- .../v1alpha1/validating_spec_types_test.go | 30 +++- .../v1alpha1/zz_generated.deepcopy.go | 81 ++++++++- ...olicies.kyverno.io_validatingpolicies.yaml | 40 +++-- ...olicies.kyverno.io_validatingpolicies.yaml | 40 +++-- ...olicies.kyverno.io_validatingpolicies.yaml | 40 +++-- config/install-latest-testing.yaml | 40 +++-- docs/user/crd/index.html | 158 ++++++++++++++---- pkg/cel/policy/filter_test.go | 62 +++++++ pkg/utils/slices/filter.go | 1 - 10 files changed, 419 insertions(+), 122 deletions(-) create mode 100644 pkg/cel/policy/filter_test.go diff --git a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go index 231c3874c5..3a36808500 100644 --- a/api/policies.kyverno.io/v1alpha1/validating_spec_types.go +++ b/api/policies.kyverno.io/v1alpha1/validating_spec_types.go @@ -89,35 +89,25 @@ type ValidatingPolicySpec struct { // +optional WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"` - // Admission controls if rules are applied during admission. - // Optional. Default value is "true". + // EvaluationConfiguration defines the configuration for the policy evaluation. // +optional - // +kubebuilder:default=true - Admission *bool `json:"admission,omitempty"` - - // Background controls if rules are applied to existing resources during a background scan. - // Optional. Default value is "true". The value must be set to "false" if the policy rule - // uses variables that are only available in the admission review request (e.g. user name). - // +optional - // +kubebuilder:default=true - Background *bool `json:"background,omitempty"` + EvaluationConfiguration *EvaluationConfiguration `json:"evaluationConfiguration,omitempty"` } // AdmissionEnabled checks if admission is set to true func (s ValidatingPolicySpec) AdmissionEnabled() bool { - if s.Admission == nil { + if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Admission == nil || s.EvaluationConfiguration.Admission.Enabled == nil { return true } - - return *s.Admission + return *s.EvaluationConfiguration.Admission.Enabled } // BackgroundEnabled checks if background is set to true func (s ValidatingPolicySpec) BackgroundEnabled() bool { - if s.Background == nil { + if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Background == nil || s.EvaluationConfiguration.Background.Enabled == nil { return true } - return *s.Background + return *s.EvaluationConfiguration.Background.Enabled } type WebhookConfiguration struct { @@ -126,3 +116,30 @@ type WebhookConfiguration struct { // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"` } + +type EvaluationConfiguration struct { + // Admission controls policy evaluation during admission. + // +optional + Admission *AdmissionConfiguration `json:"admission,omitempty"` + + // Background controls policy evaluation during background scan. + // +optional + Background *BackgroundConfiguration `json:"background,omitempty"` +} + +type AdmissionConfiguration struct { + // Enabled controls if rules are applied during admission. + // Optional. Default value is "true". + // +optional + // +kubebuilder:default=true + Enabled *bool `json:"enabled,omitempty"` +} + +type BackgroundConfiguration struct { + // Enabled controls if rules are applied to existing resources during a background scan. + // Optional. Default value is "true". The value must be set to "false" if the policy rule + // uses variables that are only available in the admission review request (e.g. user name). + // +optional + // +kubebuilder:default=true + Enabled *bool `json:"enabled,omitempty"` +} diff --git a/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go b/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go index c769ebb3b9..c0ef60881e 100644 --- a/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go +++ b/api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go @@ -20,7 +20,11 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) { name: "true", policy: &ValidatingPolicy{ Spec: ValidatingPolicySpec{ - Admission: ptr.To(true), + EvaluationConfiguration: &EvaluationConfiguration{ + Admission: &AdmissionConfiguration{ + Enabled: ptr.To(true), + }, + }, }, }, want: true, @@ -28,12 +32,15 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) { name: "false", policy: &ValidatingPolicy{ Spec: ValidatingPolicySpec{ - Admission: ptr.To(false), + EvaluationConfiguration: &EvaluationConfiguration{ + Admission: &AdmissionConfiguration{ + Enabled: ptr.To(false), + }, + }, }, }, want: false, - }, - } + }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := tt.policy.Spec.AdmissionEnabled() @@ -55,7 +62,11 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) { name: "true", policy: &ValidatingPolicy{ Spec: ValidatingPolicySpec{ - Background: ptr.To(true), + EvaluationConfiguration: &EvaluationConfiguration{ + Background: &BackgroundConfiguration{ + Enabled: ptr.To(true), + }, + }, }, }, want: true, @@ -63,12 +74,15 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) { name: "false", policy: &ValidatingPolicy{ Spec: ValidatingPolicySpec{ - Background: ptr.To(false), + EvaluationConfiguration: &EvaluationConfiguration{ + Background: &BackgroundConfiguration{ + Enabled: ptr.To(false), + }, + }, }, }, want: false, - }, - } + }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { got := tt.policy.Spec.BackgroundEnabled() diff --git a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go index 37031d3eb3..33a5ddf930 100644 --- a/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go +++ b/api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go @@ -28,6 +28,27 @@ import ( runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AdmissionConfiguration) DeepCopyInto(out *AdmissionConfiguration) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfiguration. +func (in *AdmissionConfiguration) DeepCopy() *AdmissionConfiguration { + if in == nil { + return nil + } + out := new(AdmissionConfiguration) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Attestation) DeepCopyInto(out *Attestation) { *out = *in @@ -146,6 +167,27 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BackgroundConfiguration) DeepCopyInto(out *BackgroundConfiguration) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundConfiguration. +func (in *BackgroundConfiguration) DeepCopy() *BackgroundConfiguration { + if in == nil { + return nil + } + out := new(BackgroundConfiguration) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) { *out = *in @@ -343,6 +385,32 @@ func (in *Credentials) DeepCopy() *Credentials { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EvaluationConfiguration) DeepCopyInto(out *EvaluationConfiguration) { + *out = *in + if in.Admission != nil { + in, out := &in.Admission, &out.Admission + *out = new(AdmissionConfiguration) + (*in).DeepCopyInto(*out) + } + if in.Background != nil { + in, out := &in.Background, &out.Background + *out = new(BackgroundConfiguration) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationConfiguration. +func (in *EvaluationConfiguration) DeepCopy() *EvaluationConfiguration { + if in == nil { + return nil + } + out := new(EvaluationConfiguration) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Identity) DeepCopyInto(out *Identity) { *out = *in @@ -931,15 +999,10 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) { *out = new(WebhookConfiguration) (*in).DeepCopyInto(*out) } - if in.Admission != nil { - in, out := &in.Admission, &out.Admission - *out = new(bool) - **out = **in - } - if in.Background != nil { - in, out := &in.Background, &out.Background - *out = new(bool) - **out = **in + if in.EvaluationConfiguration != nil { + in, out := &in.EvaluationConfiguration, &out.EvaluationConfiguration + *out = new(EvaluationConfiguration) + (*in).DeepCopyInto(*out) } return } diff --git a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index 3ad7969bcf..a5ba9e817e 100644 --- a/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -56,12 +56,6 @@ spec: description: ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy. properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean auditAnnotations: description: |- auditAnnotations contains CEL expressions which are used to produce audit @@ -114,13 +108,33 @@ spec: type: object type: array x-kubernetes-list-type: atomic - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean + evaluationConfiguration: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + type: object failurePolicy: description: |- failurePolicy defines how to handle failures for the admission policy. Failures can diff --git a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml index 572badb4d6..2459190255 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml @@ -50,12 +50,6 @@ spec: description: ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy. properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean auditAnnotations: description: |- auditAnnotations contains CEL expressions which are used to produce audit @@ -108,13 +102,33 @@ spec: type: object type: array x-kubernetes-list-type: atomic - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean + evaluationConfiguration: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + type: object failurePolicy: description: |- failurePolicy defines how to handle failures for the admission policy. Failures can diff --git a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml index 572badb4d6..2459190255 100644 --- a/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml +++ b/config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml @@ -50,12 +50,6 @@ spec: description: ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy. properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean auditAnnotations: description: |- auditAnnotations contains CEL expressions which are used to produce audit @@ -108,13 +102,33 @@ spec: type: object type: array x-kubernetes-list-type: atomic - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean + evaluationConfiguration: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + type: object failurePolicy: description: |- failurePolicy defines how to handle failures for the admission policy. Failures can diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 36757e4117..7ef8eb3d73 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -48598,12 +48598,6 @@ spec: description: ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy. properties: - admission: - default: true - description: |- - Admission controls if rules are applied during admission. - Optional. Default value is "true". - type: boolean auditAnnotations: description: |- auditAnnotations contains CEL expressions which are used to produce audit @@ -48656,13 +48650,33 @@ spec: type: object type: array x-kubernetes-list-type: atomic - background: - default: true - description: |- - Background controls if rules are applied to existing resources during a background scan. - Optional. Default value is "true". The value must be set to "false" if the policy rule - uses variables that are only available in the admission review request (e.g. user name). - type: boolean + evaluationConfiguration: + description: EvaluationConfiguration defines the configuration for + the policy evaluation. + properties: + admission: + description: Admission controls policy evaluation during admission. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + type: object + background: + description: Background controls policy evaluation during background + scan. + properties: + enabled: + default: true + description: |- + Enabled controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). + type: boolean + type: object + type: object failurePolicy: description: |- failurePolicy defines how to handle failures for the admission policy. Failures can diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 1f75e8cd06..e88612399c 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -10840,29 +10840,16 @@ WebhookConfiguration -admission
+evaluationConfiguration
-bool + +EvaluationConfiguration + (Optional) -

Admission controls if rules are applied during admission. -Optional. Default value is “true”.

- - - - -background
- -bool - - - -(Optional) -

Background controls if rules are applied to existing resources during a background scan. -Optional. Default value is “true”. The value must be set to “false” if the policy rule -uses variables that are only available in the admission review request (e.g. user name).

+

EvaluationConfiguration defines the configuration for the policy evaluation.

@@ -10885,6 +10872,38 @@ PolicyStatus
+

AdmissionConfiguration +

+

+(Appears on: +EvaluationConfiguration) +

+

+

+ + + + + + + + + + + + + +
FieldDescription
+enabled
+ +bool + +		 +(Optional) +

Enabled controls if rules are applied during admission. +Optional. Default value is “true”.

+
+

Attestation

@@ -11115,6 +11134,39 @@ Kubernetes admissionregistration/v1.MatchResources

+

BackgroundConfiguration +

+

+(Appears on: +EvaluationConfiguration) +

+

+

+ + + + + + + + + + + + + +
FieldDescription
+enabled
+ +bool + +		 +(Optional) +

Enabled controls if rules are applied to existing resources during a background scan. +Optional. Default value is “true”. The value must be set to “false” if the policy rule +uses variables that are only available in the admission review request (e.g. user name).

+
+

CELPolicyExceptionSpec

@@ -11490,6 +11542,53 @@ Secrets must live in the Kyverno namespace.

CredentialsProvidersType provides the list of credential providers required.

+

EvaluationConfiguration +

+

+(Appears on: +ValidatingPolicySpec) +

+

+

+ + + + + + + + + + + + + + + + + +
FieldDescription
+admission
+ + +AdmissionConfiguration + + +		 +(Optional) +

Admission controls policy evaluation during admission.

+
+background
+ + +BackgroundConfiguration + + +		 +(Optional) +

Background controls policy evaluation during background scan.

+
+

GenericPolicy

@@ -12607,29 +12706,16 @@ WebhookConfiguration -admission
+evaluationConfiguration
-bool + +EvaluationConfiguration + (Optional) -

Admission controls if rules are applied during admission. -Optional. Default value is “true”.

- - - - -background
- -bool - - - -(Optional) -

Background controls if rules are applied to existing resources during a background scan. -Optional. Default value is “true”. The value must be set to “false” if the policy rule -uses variables that are only available in the admission review request (e.g. user name).

+

EvaluationConfiguration defines the configuration for the policy evaluation.

diff --git a/pkg/cel/policy/filter_test.go b/pkg/cel/policy/filter_test.go new file mode 100644 index 0000000000..aef78c9145 --- /dev/null +++ b/pkg/cel/policy/filter_test.go @@ -0,0 +1,62 @@ +package policy + +import ( + "testing" + + "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1" + "github.com/stretchr/testify/assert" + "k8s.io/utils/ptr" +) + +func TestRemoveNoneBackgroundPolicies(t *testing.T) { + yes := v1alpha1.ValidatingPolicy{ + Spec: v1alpha1.ValidatingPolicySpec{ + EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{ + Background: &v1alpha1.BackgroundConfiguration{ + Enabled: ptr.To(true), + }, + }, + }, + } + no := v1alpha1.ValidatingPolicy{ + Spec: v1alpha1.ValidatingPolicySpec{ + EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{ + Background: &v1alpha1.BackgroundConfiguration{ + Enabled: ptr.To(false), + }, + }, + }, + } + tests := []struct { + name string + policies []v1alpha1.ValidatingPolicy + want []v1alpha1.ValidatingPolicy + }{{ + name: "nil", + policies: nil, + want: []v1alpha1.ValidatingPolicy{}, + }, { + name: "empty", + policies: []v1alpha1.ValidatingPolicy{}, + want: []v1alpha1.ValidatingPolicy{}, + }, { + name: "only no", + policies: []v1alpha1.ValidatingPolicy{no}, + want: []v1alpha1.ValidatingPolicy{}, + }, { + name: "only yes", + policies: []v1alpha1.ValidatingPolicy{yes}, + want: []v1alpha1.ValidatingPolicy{yes}, + }, { + name: "both", + policies: []v1alpha1.ValidatingPolicy{yes, no}, + want: []v1alpha1.ValidatingPolicy{yes}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := RemoveNoneBackgroundPolicies(tt.policies) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/pkg/utils/slices/filter.go b/pkg/utils/slices/filter.go index ba465d53e8..e07d76dc41 100644 --- a/pkg/utils/slices/filter.go +++ b/pkg/utils/slices/filter.go @@ -7,6 +7,5 @@ func Filter[T any](list []T, filter func(T) bool) []T { filtered = append(filtered, item) } } - return filtered }