feat: improve validating policy api (#12243)

* feat: improve validating policy api

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>

api/policies.kyverno.io/v1alpha1/validating_spec_types.go

@@ -89,35 +89,25 @@ type ValidatingPolicySpec struct {
 	// +optional
 	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`
 
-	// Admission controls if rules are applied during admission.
-	// Optional. Default value is "true".
+	// EvaluationConfiguration defines the configuration for the policy evaluation.
 	// +optional
-	// +kubebuilder:default=true
-	Admission *bool `json:"admission,omitempty"`
-
-	// Background controls if rules are applied to existing resources during a background scan.
-	// Optional. Default value is "true". The value must be set to "false" if the policy rule
-	// uses variables that are only available in the admission review request (e.g. user name).
-	// +optional
-	// +kubebuilder:default=true
-	Background *bool `json:"background,omitempty"`
+	EvaluationConfiguration *EvaluationConfiguration `json:"evaluationConfiguration,omitempty"`
 }
 
 // AdmissionEnabled checks if admission is set to true
 func (s ValidatingPolicySpec) AdmissionEnabled() bool {
-	if s.Admission == nil {
+	if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Admission == nil || s.EvaluationConfiguration.Admission.Enabled == nil {
 		return true
 	}
-
-	return *s.Admission
+	return *s.EvaluationConfiguration.Admission.Enabled
 }
 
 // BackgroundEnabled checks if background is set to true
 func (s ValidatingPolicySpec) BackgroundEnabled() bool {
-	if s.Background == nil {
+	if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.Background == nil || s.EvaluationConfiguration.Background.Enabled == nil {
 		return true
 	}
-	return *s.Background
+	return *s.EvaluationConfiguration.Background.Enabled
 }
 
 type WebhookConfiguration struct {
@@ -126,3 +116,30 @@ type WebhookConfiguration struct {
 	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
 	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
 }
+
+type EvaluationConfiguration struct {
+	// Admission controls policy evaluation during admission.
+	// +optional
+	Admission *AdmissionConfiguration `json:"admission,omitempty"`
+
+	// Background  controls policy evaluation during background scan.
+	// +optional
+	Background *BackgroundConfiguration `json:"background,omitempty"`
+}
+
+type AdmissionConfiguration struct {
+	// Enabled controls if rules are applied during admission.
+	// Optional. Default value is "true".
+	// +optional
+	// +kubebuilder:default=true
+	Enabled *bool `json:"enabled,omitempty"`
+}
+
+type BackgroundConfiguration struct {
+	// Enabled controls if rules are applied to existing resources during a background scan.
+	// Optional. Default value is "true". The value must be set to "false" if the policy rule
+	// uses variables that are only available in the admission review request (e.g. user name).
+	// +optional
+	// +kubebuilder:default=true
+	Enabled *bool `json:"enabled,omitempty"`
+}

api/policies.kyverno.io/v1alpha1/validating_spec_types_test.go

@@ -20,7 +20,11 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
 		name: "true",
 		policy: &ValidatingPolicy{
 			Spec: ValidatingPolicySpec{
-				Admission: ptr.To(true),
+				EvaluationConfiguration: &EvaluationConfiguration{
+					Admission: &AdmissionConfiguration{
+						Enabled: ptr.To(true),
+					},
+				},
 			},
 		},
 		want: true,
@@ -28,12 +32,15 @@ func TestValidatingPolicySpec_AdmissionEnabled(t *testing.T) {
 		name: "false",
 		policy: &ValidatingPolicy{
 			Spec: ValidatingPolicySpec{
-				Admission: ptr.To(false),
+				EvaluationConfiguration: &EvaluationConfiguration{
+					Admission: &AdmissionConfiguration{
+						Enabled: ptr.To(false),
+					},
+				},
 			},
 		},
 		want: false,
-	},
-	}
+	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := tt.policy.Spec.AdmissionEnabled()
@@ -55,7 +62,11 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
 		name: "true",
 		policy: &ValidatingPolicy{
 			Spec: ValidatingPolicySpec{
-				Background: ptr.To(true),
+				EvaluationConfiguration: &EvaluationConfiguration{
+					Background: &BackgroundConfiguration{
+						Enabled: ptr.To(true),
+					},
+				},
 			},
 		},
 		want: true,
@@ -63,12 +74,15 @@ func TestValidatingPolicySpec_BackgroundEnabled(t *testing.T) {
 		name: "false",
 		policy: &ValidatingPolicy{
 			Spec: ValidatingPolicySpec{
-				Background: ptr.To(false),
+				EvaluationConfiguration: &EvaluationConfiguration{
+					Background: &BackgroundConfiguration{
+						Enabled: ptr.To(false),
+					},
+				},
 			},
 		},
 		want: false,
-	},
-	}
+	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := tt.policy.Spec.BackgroundEnabled()

api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go

@@ -28,6 +28,27 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionConfiguration) DeepCopyInto(out *AdmissionConfiguration) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfiguration.
+func (in *AdmissionConfiguration) DeepCopy() *AdmissionConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Attestation) DeepCopyInto(out *Attestation) {
 	*out = *in
@@ -146,6 +167,27 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BackgroundConfiguration) DeepCopyInto(out *BackgroundConfiguration) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundConfiguration.
+func (in *BackgroundConfiguration) DeepCopy() *BackgroundConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(BackgroundConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CELPolicyException) DeepCopyInto(out *CELPolicyException) {
 	*out = *in
@@ -343,6 +385,32 @@ func (in *Credentials) DeepCopy() *Credentials {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EvaluationConfiguration) DeepCopyInto(out *EvaluationConfiguration) {
+	*out = *in
+	if in.Admission != nil {
+		in, out := &in.Admission, &out.Admission
+		*out = new(AdmissionConfiguration)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Background != nil {
+		in, out := &in.Background, &out.Background
+		*out = new(BackgroundConfiguration)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationConfiguration.
+func (in *EvaluationConfiguration) DeepCopy() *EvaluationConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(EvaluationConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Identity) DeepCopyInto(out *Identity) {
 	*out = *in
@@ -931,15 +999,10 @@ func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec) {
 		*out = new(WebhookConfiguration)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.Admission != nil {
-		in, out := &in.Admission, &out.Admission
-		*out = new(bool)
-		**out = **in
-	}
-	if in.Background != nil {
-		in, out := &in.Background, &out.Background
-		*out = new(bool)
-		**out = **in
+	if in.EvaluationConfiguration != nil {
+		in, out := &in.EvaluationConfiguration, &out.EvaluationConfiguration
+		*out = new(EvaluationConfiguration)
+		(*in).DeepCopyInto(*out)
 	}
 	return
 }

charts/kyverno/charts/crds/templates/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -56,12 +56,6 @@ spec:
             description: ValidatingPolicySpec is the specification of the desired
               behavior of the ValidatingPolicy.
             properties:
-              admission:
-                default: true
-                description: |-
-                  Admission controls if rules are applied during admission.
-                  Optional. Default value is "true".
-                type: boolean
               auditAnnotations:
                 description: |-
                   auditAnnotations contains CEL expressions which are used to produce audit
@@ -114,13 +108,33 @@ spec:
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
-              background:
+              evaluationConfiguration:
+                description: EvaluationConfiguration defines the configuration for
+                  the policy evaluation.
+                properties:
+                  admission:
+                    description: Admission controls policy evaluation during admission.
+                    properties:
+                      enabled:
                         default: true
                         description: |-
-                  Background controls if rules are applied to existing resources during a background scan.
+                          Enabled controls if rules are applied during admission.
+                          Optional. Default value is "true".
+                        type: boolean
+                    type: object
+                  background:
+                    description: Background  controls policy evaluation during background
+                      scan.
+                    properties:
+                      enabled:
+                        default: true
+                        description: |-
+                          Enabled controls if rules are applied to existing resources during a background scan.
                           Optional. Default value is "true". The value must be set to "false" if the policy rule
                           uses variables that are only available in the admission review request (e.g. user name).
                         type: boolean
+                    type: object
+                type: object
               failurePolicy:
                 description: |-
                   failurePolicy defines how to handle failures for the admission policy. Failures can

cmd/cli/kubectl-kyverno/data/crds/policies.kyverno.io_validatingpolicies.yaml

@@ -50,12 +50,6 @@ spec:
             description: ValidatingPolicySpec is the specification of the desired
               behavior of the ValidatingPolicy.
             properties:
-              admission:
-                default: true
-                description: |-
-                  Admission controls if rules are applied during admission.
-                  Optional. Default value is "true".
-                type: boolean
               auditAnnotations:
                 description: |-
                   auditAnnotations contains CEL expressions which are used to produce audit
@@ -108,13 +102,33 @@ spec:
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
-              background:
+              evaluationConfiguration:
+                description: EvaluationConfiguration defines the configuration for
+                  the policy evaluation.
+                properties:
+                  admission:
+                    description: Admission controls policy evaluation during admission.
+                    properties:
+                      enabled:
                         default: true
                         description: |-
-                  Background controls if rules are applied to existing resources during a background scan.
+                          Enabled controls if rules are applied during admission.
+                          Optional. Default value is "true".
+                        type: boolean
+                    type: object
+                  background:
+                    description: Background  controls policy evaluation during background
+                      scan.
+                    properties:
+                      enabled:
+                        default: true
+                        description: |-
+                          Enabled controls if rules are applied to existing resources during a background scan.
                           Optional. Default value is "true". The value must be set to "false" if the policy rule
                           uses variables that are only available in the admission review request (e.g. user name).
                         type: boolean
+                    type: object
+                type: object
               failurePolicy:
                 description: |-
                   failurePolicy defines how to handle failures for the admission policy. Failures can

config/crds/policies.kyverno.io/policies.kyverno.io_validatingpolicies.yaml

@@ -50,12 +50,6 @@ spec:
             description: ValidatingPolicySpec is the specification of the desired
               behavior of the ValidatingPolicy.
             properties:
-              admission:
-                default: true
-                description: |-
-                  Admission controls if rules are applied during admission.
-                  Optional. Default value is "true".
-                type: boolean
               auditAnnotations:
                 description: |-
                   auditAnnotations contains CEL expressions which are used to produce audit
@@ -108,13 +102,33 @@ spec:
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
-              background:
+              evaluationConfiguration:
+                description: EvaluationConfiguration defines the configuration for
+                  the policy evaluation.
+                properties:
+                  admission:
+                    description: Admission controls policy evaluation during admission.
+                    properties:
+                      enabled:
                         default: true
                         description: |-
-                  Background controls if rules are applied to existing resources during a background scan.
+                          Enabled controls if rules are applied during admission.
+                          Optional. Default value is "true".
+                        type: boolean
+                    type: object
+                  background:
+                    description: Background  controls policy evaluation during background
+                      scan.
+                    properties:
+                      enabled:
+                        default: true
+                        description: |-
+                          Enabled controls if rules are applied to existing resources during a background scan.
                           Optional. Default value is "true". The value must be set to "false" if the policy rule
                           uses variables that are only available in the admission review request (e.g. user name).
                         type: boolean
+                    type: object
+                type: object
               failurePolicy:
                 description: |-
                   failurePolicy defines how to handle failures for the admission policy. Failures can

config/install-latest-testing.yaml

@@ -48598,12 +48598,6 @@ spec:
             description: ValidatingPolicySpec is the specification of the desired
               behavior of the ValidatingPolicy.
             properties:
-              admission:
-                default: true
-                description: |-
-                  Admission controls if rules are applied during admission.
-                  Optional. Default value is "true".
-                type: boolean
               auditAnnotations:
                 description: |-
                   auditAnnotations contains CEL expressions which are used to produce audit
@@ -48656,13 +48650,33 @@ spec:
                   type: object
                 type: array
                 x-kubernetes-list-type: atomic
-              background:
+              evaluationConfiguration:
+                description: EvaluationConfiguration defines the configuration for
+                  the policy evaluation.
+                properties:
+                  admission:
+                    description: Admission controls policy evaluation during admission.
+                    properties:
+                      enabled:
                         default: true
                         description: |-
-                  Background controls if rules are applied to existing resources during a background scan.
+                          Enabled controls if rules are applied during admission.
+                          Optional. Default value is "true".
+                        type: boolean
+                    type: object
+                  background:
+                    description: Background  controls policy evaluation during background
+                      scan.
+                    properties:
+                      enabled:
+                        default: true
+                        description: |-
+                          Enabled controls if rules are applied to existing resources during a background scan.
                           Optional. Default value is "true". The value must be set to "false" if the policy rule
                           uses variables that are only available in the admission review request (e.g. user name).
                         type: boolean
+                    type: object
+                type: object
               failurePolicy:
                 description: |-
                   failurePolicy defines how to handle failures for the admission policy. Failures can

docs/user/crd/index.html

@@ -10840,29 +10840,16 @@ WebhookConfiguration
 </tr>
 <tr>
 <td>
-<code>admission</code><br/>
+<code>evaluationConfiguration</code><br/>
 <em>
-bool
+<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">
+EvaluationConfiguration
+</a>
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>Admission controls if rules are applied during admission.
-Optional. Default value is &ldquo;true&rdquo;.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>background</code><br/>
-<em>
-bool
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Background controls if rules are applied to existing resources during a background scan.
-Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
-uses variables that are only available in the admission review request (e.g. user name).</p>
+<p>EvaluationConfiguration defines the configuration for the policy evaluation.</p>
 </td>
 </tr>
 </table>
@@ -10885,6 +10872,38 @@ PolicyStatus
 </tbody>
 </table>
 <hr />
+<h3 id="policies.kyverno.io/v1alpha1.AdmissionConfiguration">AdmissionConfiguration
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>enabled</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Enabled controls if rules are applied during admission.
+Optional. Default value is &ldquo;true&rdquo;.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="policies.kyverno.io/v1alpha1.Attestation">Attestation
 </h3>
 <p>
@@ -11115,6 +11134,39 @@ Kubernetes admissionregistration/v1.MatchResources
 </tbody>
 </table>
 <hr />
+<h3 id="policies.kyverno.io/v1alpha1.BackgroundConfiguration">BackgroundConfiguration
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>enabled</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Enabled controls if rules are applied to existing resources during a background scan.
+Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
+uses variables that are only available in the admission review request (e.g. user name).</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="policies.kyverno.io/v1alpha1.CELPolicyExceptionSpec">CELPolicyExceptionSpec
 </h3>
 <p>
@@ -11490,6 +11542,53 @@ Secrets must live in the Kyverno namespace.</p>
 <p>
 <p>CredentialsProvidersType provides the list of credential providers required.</p>
 </p>
+<h3 id="policies.kyverno.io/v1alpha1.EvaluationConfiguration">EvaluationConfiguration
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#policies.kyverno.io/v1alpha1.ValidatingPolicySpec">ValidatingPolicySpec</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>admission</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.AdmissionConfiguration">
+AdmissionConfiguration
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Admission controls policy evaluation during admission.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>background</code><br/>
+<em>
+<a href="#policies.kyverno.io/v1alpha1.BackgroundConfiguration">
+BackgroundConfiguration
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Background  controls policy evaluation during background scan.</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
 <h3 id="policies.kyverno.io/v1alpha1.GenericPolicy">GenericPolicy
 </h3>
 <p>
@@ -12607,29 +12706,16 @@ WebhookConfiguration
 </tr>
 <tr>
 <td>
-<code>admission</code><br/>
+<code>evaluationConfiguration</code><br/>
 <em>
-bool
+<a href="#policies.kyverno.io/v1alpha1.EvaluationConfiguration">
+EvaluationConfiguration
+</a>
 </em>
 </td>
 <td>
 <em>(Optional)</em>
-<p>Admission controls if rules are applied during admission.
-Optional. Default value is &ldquo;true&rdquo;.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>background</code><br/>
-<em>
-bool
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Background controls if rules are applied to existing resources during a background scan.
-Optional. Default value is &ldquo;true&rdquo;. The value must be set to &ldquo;false&rdquo; if the policy rule
-uses variables that are only available in the admission review request (e.g. user name).</p>
+<p>EvaluationConfiguration defines the configuration for the policy evaluation.</p>
 </td>
 </tr>
 </tbody>

pkg/cel/policy/filter_test.go

@@ -0,0 +1,62 @@
+package policy
+
+import (
+	"testing"
+
+	"github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/utils/ptr"
+)
+
+func TestRemoveNoneBackgroundPolicies(t *testing.T) {
+	yes := v1alpha1.ValidatingPolicy{
+		Spec: v1alpha1.ValidatingPolicySpec{
+			EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
+				Background: &v1alpha1.BackgroundConfiguration{
+					Enabled: ptr.To(true),
+				},
+			},
+		},
+	}
+	no := v1alpha1.ValidatingPolicy{
+		Spec: v1alpha1.ValidatingPolicySpec{
+			EvaluationConfiguration: &v1alpha1.EvaluationConfiguration{
+				Background: &v1alpha1.BackgroundConfiguration{
+					Enabled: ptr.To(false),
+				},
+			},
+		},
+	}
+	tests := []struct {
+		name     string
+		policies []v1alpha1.ValidatingPolicy
+		want     []v1alpha1.ValidatingPolicy
+	}{{
+		name:     "nil",
+		policies: nil,
+		want:     []v1alpha1.ValidatingPolicy{},
+	}, {
+		name:     "empty",
+		policies: []v1alpha1.ValidatingPolicy{},
+		want:     []v1alpha1.ValidatingPolicy{},
+	}, {
+		name:     "only no",
+		policies: []v1alpha1.ValidatingPolicy{no},
+		want:     []v1alpha1.ValidatingPolicy{},
+	}, {
+		name:     "only yes",
+		policies: []v1alpha1.ValidatingPolicy{yes},
+		want:     []v1alpha1.ValidatingPolicy{yes},
+	}, {
+		name:     "both",
+		policies: []v1alpha1.ValidatingPolicy{yes, no},
+		want:     []v1alpha1.ValidatingPolicy{yes},
+	},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := RemoveNoneBackgroundPolicies(tt.policies)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/utils/slices/filter.go

@@ -7,6 +7,5 @@ func Filter[T any](list []T, filter func(T) bool) []T {
 			filtered = append(filtered, item)
 		}
 	}
-
 	return filtered
 }