mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity

feat: improve validating policy api (#12243)

Browse source 
* feat: improve validating policy api

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2025-02-26 16:18:12 +01:00 committed by GitHub
parent 7a34b60ed2
commit ebaad6fbb1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 419 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
api/policies.kyverno.io/v1alpha1/validating_spec_types.go
View file

@ -89,35 +89,25 @@ type ValidatingPolicySpec struct {
// +optional // +optional
WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"` WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`
// Admission controls if rules are applied during admission. // EvaluationConfiguration defines the configuration for the policy evaluation.
// Optional. Default value is "true".
// +optional // +optional
// +kubebuilder:default=true EvaluationConfiguration *EvaluationConfiguration `json:"evaluationConfiguration,omitempty"`
Admission *bool `json:"admission,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
// +optional
// +kubebuilder:default=true
Background *bool `json:"background,omitempty"`
} }
// AdmissionEnabled checks if admission is set to true // AdmissionEnabled checks if admission is set to true
func (s ValidatingPolicySpec) AdmissionEnabled() bool { func (s ValidatingPolicySpec) AdmissionEnabled() bool {
if s.Admission == nil { if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Admission == nil || s.EvaluationConfiguration.Admission.Enabled == nil {
return true return true
} }
return *s.EvaluationConfiguration.Admission.Enabled
return *s.Admission
} }
// BackgroundEnabled checks if background is set to true // BackgroundEnabled checks if background is set to true
func (s ValidatingPolicySpec) BackgroundEnabled() bool { func (s ValidatingPolicySpec) BackgroundEnabled() bool {
if s.Background == nil { if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Background == nil || s.EvaluationConfiguration.Background.Enabled == nil {
return true return true
} }
return *s.Background return *s.EvaluationConfiguration.Background.Enabled
} }
type WebhookConfiguration struct { type WebhookConfiguration struct {
@ -126,3 +116,30 @@ type WebhookConfiguration struct {
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"` TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
} }
type EvaluationConfiguration struct {
// Admission controls policy evaluation during admission.
// +optional
Admission *AdmissionConfiguration `json:"admission,omitempty"`
// Background controls policy evaluation during background scan.
// +optional
Background *BackgroundConfiguration `json:"background,omitempty"`
}
type AdmissionConfiguration struct {
// Enabled controls if rules are applied during admission.
// Optional. Default value is "true".
// +optional
// +kubebuilder:default=true
Enabled *bool `json:"enabled,omitempty"`
}
type BackgroundConfiguration struct {
// Enabled controls if rules are applied to existing resources during a background scan.
// Optional. Default value is "true". The value must be set to "false" if the policy rule
// uses variables that are only available in the admission review request (e.g. user name).
// +optional
// +kubebuilder:default=true
Enabled *bool `json:"enabled,omitempty"`
}

30
api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go
View file

@ -20,7 +20,11 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
name: "true", name: "true",
policy: &ValidatingPolicy{ policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{ Spec: ValidatingPolicySpec{
Admission: ptr.To(true), EvaluationConfiguration: &EvaluationConfiguration{
Admission: &AdmissionConfiguration{
Enabled: ptr.To(true),
},
},
}, },
}, },
want: true, want: true,
@ -28,12 +32,15 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
name: "false", name: "false",
policy: &ValidatingPolicy{ policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{ Spec: ValidatingPolicySpec{
Admission: ptr.To(false), EvaluationConfiguration: &EvaluationConfiguration{
Admission: &AdmissionConfiguration{
Enabled: ptr.To(false),
},
},
}, },
}, },
want: false, want: false,
}, }}
}
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got := tt.policy.Spec.AdmissionEnabled() got := tt.policy.Spec.AdmissionEnabled()
@ -55,7 +62,11 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
name: "true", name: "true",
policy: &ValidatingPolicy{ policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{ Spec: ValidatingPolicySpec{
Background: ptr.To(true), EvaluationConfiguration: &EvaluationConfiguration{
Background: &BackgroundConfiguration{
Enabled: ptr.To(true),
},
},
}, },
}, },
want: true, want: true,
@ -63,12 +74,15 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
name: "false", name: "false",
policy: &ValidatingPolicy{ policy: &ValidatingPolicy{
Spec: ValidatingPolicySpec{ Spec: ValidatingPolicySpec{
Background: ptr.To(false), EvaluationConfiguration: &EvaluationConfiguration{
Background: &BackgroundConfiguration{
Enabled: ptr.To(false),
},
},
}, },
}, },
want: false, want: false,
}, }}
}
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
got := tt.policy.Spec.BackgroundEnabled() got := tt.policy.Spec.BackgroundEnabled()

81
api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go
View file

@ -28,6 +28,27 @@ import (
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AdmissionConfiguration) DeepCopyInto(out *AdmissionConfiguration) {
*out = *in
if in.Enabled != nil {
in, out := &in.Enabled, &out.Enabled
*out = new(bool)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfiguration.
func (in *AdmissionConfiguration) DeepCopy() *AdmissionConfiguration {
if in == nil {
return nil
}
out := new(AdmissionConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Attestation) DeepCopyInto(out *Attestation) { func (in *Attestation) DeepCopyInto(out *Attestation) {
*out = *in *out = *in
@ -146,6 +167,27 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BackgroundConfiguration) DeepCopyInto(out *BackgroundConfiguration) {
*out = *in
if in.Enabled != nil {
in, out := &in.Enabled, &out.Enabled
*out = new(bool)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundConfiguration.
func (in *BackgroundConfiguration) DeepCopy() *BackgroundConfiguration {
if in == nil {
return nil
}
out := new(BackgroundConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) { func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
*out = *in *out = *in
@ -343,6 +385,32 @@ func (in *Credentials) DeepCopy() *Credentials {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *EvaluationConfiguration) DeepCopyInto(out *EvaluationConfiguration) {
*out = *in
if in.Admission != nil {
in, out := &in.Admission, &out.Admission
*out = new(AdmissionConfiguration)
(*in).DeepCopyInto(*out)
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(BackgroundConfiguration)
(*in).DeepCopyInto(*out)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationConfiguration.
func (in *EvaluationConfiguration) DeepCopy() *EvaluationConfiguration {
if in == nil {
return nil
}
out := new(EvaluationConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Identity) DeepCopyInto(out *Identity) { func (in *Identity) DeepCopyInto(out *Identity) {
*out = *in *out = *in
@ -931,15 +999,10 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
*out = new(WebhookConfiguration) *out = new(WebhookConfiguration)
(*in).DeepCopyInto(*out) (*in).DeepCopyInto(*out)
} }
if in.Admission != nil { if in.EvaluationConfiguration != nil {
in, out := &in.Admission, &out.Admission in, out := &in.EvaluationConfiguration, &out.EvaluationConfiguration
*out = new(bool) *out = new(EvaluationConfiguration)
**out = **in (*in).DeepCopyInto(*out)
}
if in.Background != nil {
in, out := &in.Background, &out.Background
*out = new(bool)
**out = **in
} }
return return
} }

40
charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -56,12 +56,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy. behavior of the ValidatingPolicy.
properties: properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations: auditAnnotations:
description: |- description: |-
auditAnnotations contains CEL expressions which are used to produce audit auditAnnotations contains CEL expressions which are used to produce audit
@ -114,13 +108,33 @@ spec:
type: object type: object
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
background: evaluationConfiguration:
default: true description: EvaluationConfiguration defines the configuration for
description: |- the policy evaluation.
Background controls if rules are applied to existing resources during a background scan. properties:
Optional. Default value is "true". The value must be set to "false" if the policy rule admission:
uses variables that are only available in the admission review request (e.g. user name). description: Admission controls policy evaluation during admission.
type: boolean properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy: failurePolicy:
description: |- description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can failurePolicy defines how to handle failures for the admission policy. Failures can

40
cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml
View file

@ -50,12 +50,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy. behavior of the ValidatingPolicy.
properties: properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations: auditAnnotations:
description: |- description: |-
auditAnnotations contains CEL expressions which are used to produce audit auditAnnotations contains CEL expressions which are used to produce audit
@ -108,13 +102,33 @@ spec:
type: object type: object
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
background: evaluationConfiguration:
default: true description: EvaluationConfiguration defines the configuration for
description: |- the policy evaluation.
Background controls if rules are applied to existing resources during a background scan. properties:
Optional. Default value is "true". The value must be set to "false" if the policy rule admission:
uses variables that are only available in the admission review request (e.g. user name). description: Admission controls policy evaluation during admission.
type: boolean properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy: failurePolicy:
description: |- description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can failurePolicy defines how to handle failures for the admission policy. Failures can

40
config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml
View file

@ -50,12 +50,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy. behavior of the ValidatingPolicy.
properties: properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations: auditAnnotations:
description: |- description: |-
auditAnnotations contains CEL expressions which are used to produce audit auditAnnotations contains CEL expressions which are used to produce audit
@ -108,13 +102,33 @@ spec:
type: object type: object
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
background: evaluationConfiguration:
default: true description: EvaluationConfiguration defines the configuration for
description: |- the policy evaluation.
Background controls if rules are applied to existing resources during a background scan. properties:
Optional. Default value is "true". The value must be set to "false" if the policy rule admission:
uses variables that are only available in the admission review request (e.g. user name). description: Admission controls policy evaluation during admission.
type: boolean properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy: failurePolicy:
description: |- description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can failurePolicy defines how to handle failures for the admission policy. Failures can

40
config/install-latest-testing.yaml
View file

@ -48598,12 +48598,6 @@ spec:
description: ValidatingPolicySpec is the specification of the desired description: ValidatingPolicySpec is the specification of the desired
behavior of the ValidatingPolicy. behavior of the ValidatingPolicy.
properties: properties:
admission:
default: true
description: |-
Admission controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
auditAnnotations: auditAnnotations:
description: |- description: |-
auditAnnotations contains CEL expressions which are used to produce audit auditAnnotations contains CEL expressions which are used to produce audit
@ -48656,13 +48650,33 @@ spec:
type: object type: object
type: array type: array
x-kubernetes-list-type: atomic x-kubernetes-list-type: atomic
background: evaluationConfiguration:
default: true description: EvaluationConfiguration defines the configuration for
description: |- the policy evaluation.
Background controls if rules are applied to existing resources during a background scan. properties:
Optional. Default value is "true". The value must be set to "false" if the policy rule admission:
uses variables that are only available in the admission review request (e.g. user name). description: Admission controls policy evaluation during admission.
type: boolean properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied during admission.
Optional. Default value is "true".
type: boolean
type: object
background:
description: Background controls policy evaluation during background
scan.
properties:
enabled:
default: true
description: |-
Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is "true". The value must be set to "false" if the policy rule
uses variables that are only available in the admission review request (e.g. user name).
type: boolean
type: object
type: object
failurePolicy: failurePolicy:
description: |- description: |-
failurePolicy defines how to handle failures for the admission policy. Failures can failurePolicy defines how to handle failures for the admission policy. Failures can

158
docs/user/crd/index.html
View file

@ -10840,29 +10840,16 @@ WebhookConfiguration
</tr> </tr>
<tr> <tr>
<td> <td>
<code>admission</code><br/> <code>evaluationConfiguration</code><br/>
<em> <em>
bool <a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">
EvaluationConfiguration
</a>
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>Admission controls if rules are applied during admission. <p>EvaluationConfiguration defines the configuration for the policy evaluation.</p>
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
</td> </td>
</tr> </tr>
</table> </table>
@ -10885,6 +10872,38 @@ PolicyStatus
</tbody> </tbody>
</table> </table>
<hr /> <hr />
<h3 id="policies.kyverno.io/v1alpha1.AdmissionConfiguration">AdmissionConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>enabled</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Enabled controls if rules are applied during admission.
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.Attestation">Attestation <h3 id="policies.kyverno.io/v1alpha1.Attestation">Attestation
</h3> </h3>
<p> <p>
@ -11115,6 +11134,39 @@ Kubernetes admissionregistration/v1.MatchResources
</tbody> </tbody>
</table> </table>
<hr /> <hr />
<h3 id="policies.kyverno.io/v1alpha1.BackgroundConfiguration">BackgroundConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>enabled</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Enabled controls if rules are applied to existing resources during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec <h3 id="policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec
</h3> </h3>
<p> <p>
@ -11490,6 +11542,53 @@ Secrets must live in the Kyverno namespace.</p>
<p> <p>
<p>CredentialsProvidersType provides the list of credential providers required.</p> <p>CredentialsProvidersType provides the list of credential providers required.</p>
</p> </p>
<h3 id="policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration
</h3>
<p>
(<em>Appears on:</em>
<a href="#policies.kyverno.io/v1alpha1.ValidatingPolicySpec">ValidatingPolicySpec</a>)
</p>
<p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>admission</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.AdmissionConfiguration">
AdmissionConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Admission controls policy evaluation during admission.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
<a href="#policies.kyverno.io/v1alpha1.BackgroundConfiguration">
BackgroundConfiguration
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Background controls policy evaluation during background scan.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="policies.kyverno.io/v1alpha1.GenericPolicy">GenericPolicy <h3 id="policies.kyverno.io/v1alpha1.GenericPolicy">GenericPolicy
</h3> </h3>
<p> <p>
@ -12607,29 +12706,16 @@ WebhookConfiguration
</tr> </tr>
<tr> <tr>
<td> <td>
<code>admission</code><br/> <code>evaluationConfiguration</code><br/>
<em> <em>
bool <a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">
EvaluationConfiguration
</a>
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <em>(Optional)</em>
<p>Admission controls if rules are applied during admission. <p>EvaluationConfiguration defines the configuration for the policy evaluation.</p>
Optional. Default value is &ldquo;true&rdquo;.</p>
</td>
</tr>
<tr>
<td>
<code>background</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>Background controls if rules are applied to existing resources during a background scan.
Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
uses variables that are only available in the admission review request (e.g. user name).</p>
</td> </td>
</tr> </tr>
</tbody> </tbody>

62
pkg/cel/policy/filter_test.go Normal file
View file

@ -0,0 +1,62 @@
package policy
import (
"testing"
"github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
"github.com/stretchr/testify/assert"
"k8s.io/utils/ptr"
)
func TestRemoveNoneBackgroundPolicies(t *testing.T) {
yes := v1alpha1.ValidatingPolicy{
Spec: v1alpha1.ValidatingPolicySpec{
EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
Background: &v1alpha1.BackgroundConfiguration{
Enabled: ptr.To(true),
},
},
},
}
no := v1alpha1.ValidatingPolicy{
Spec: v1alpha1.ValidatingPolicySpec{
EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
Background: &v1alpha1.BackgroundConfiguration{
Enabled: ptr.To(false),
},
},
},
}
tests := []struct {
name string
policies []v1alpha1.ValidatingPolicy
want []v1alpha1.ValidatingPolicy
}{{
name: "nil",
policies: nil,
want: []v1alpha1.ValidatingPolicy{},
}, {
name: "empty",
policies: []v1alpha1.ValidatingPolicy{},
want: []v1alpha1.ValidatingPolicy{},
}, {
name: "only no",
policies: []v1alpha1.ValidatingPolicy{no},
want: []v1alpha1.ValidatingPolicy{},
}, {
name: "only yes",
policies: []v1alpha1.ValidatingPolicy{yes},
want: []v1alpha1.ValidatingPolicy{yes},
}, {
name: "both",
policies: []v1alpha1.ValidatingPolicy{yes, no},
want: []v1alpha1.ValidatingPolicy{yes},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := RemoveNoneBackgroundPolicies(tt.policies)
assert.Equal(t, tt.want, got)
})
}
}

1
pkg/utils/slices/filter.go
View file

@ -7,6 +7,5 @@ func Filter[T any](list []T, filter func(T) bool) []T {
filtered = append(filtered, item) filtered = append(filtered, item)
} }
} }
return filtered return filtered
} }