diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e826e278a..06bf3db15c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## v1.5.8 +## Bug Fixes +- Kyverno CLI test and apply both fail when using `namespaceSelector` under `match.any` or `exclude.any` #3047 + ## v1.5.7 ## Bug Fixes diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index a5def0cda0..3672ca3d6d 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno-policies -version: v2.1.9 -appVersion: v1.5.7 +version: v2.1.10 +appVersion: v1.5.8 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management Policies keywords: diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 1cba29cc99..c82940f85f 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: v2.1.9 -appVersion: v1.5.7 +version: v2.1.10 +appVersion: v1.5.8 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 2f363b4a14..7dcc50d84e 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -12,7 +12,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -1313,7 +1313,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -1806,7 +1806,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -2299,7 +2299,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -2480,7 +2480,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: policies.kyverno.io spec: group: kyverno.io @@ -3781,7 +3781,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -4274,7 +4274,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: reportchangerequests.kyverno.io spec: group: kyverno.io diff --git a/definitions/install.yaml b/definitions/install.yaml index 9edd229024..f71c8c0847 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2074,7 +2074,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2755,7 +2755,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3436,7 +3436,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3632,7 +3632,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: policies.kyverno.io spec: group: kyverno.io @@ -5685,7 +5685,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6364,7 +6364,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7043,7 +7043,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-service-account namespace: kyverno --- @@ -7057,7 +7057,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7079,7 +7079,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7101,7 +7101,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7123,7 +7123,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:customresources rules: - apiGroups: @@ -7169,7 +7169,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:generatecontroller rules: - apiGroups: @@ -7204,7 +7204,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:leaderelection rules: - apiGroups: @@ -7228,7 +7228,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:policycontroller rules: - apiGroups: @@ -7251,7 +7251,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:userinfo rules: - apiGroups: @@ -7277,7 +7277,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:webhook rules: - apiGroups: @@ -7329,7 +7329,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io @@ -7350,7 +7350,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -7371,7 +7371,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:leaderelection roleRef: apiGroup: rbac.authorization.k8s.io @@ -7392,7 +7392,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -7413,7 +7413,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7434,7 +7434,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7459,7 +7459,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno namespace: kyverno --- @@ -7476,7 +7476,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-metrics namespace: kyverno --- @@ -7490,7 +7490,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-svc namespace: kyverno spec: @@ -7512,7 +7512,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7534,7 +7534,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno namespace: kyverno spec: @@ -7557,7 +7557,7 @@ spec: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 spec: affinity: podAntiAffinity: @@ -7586,7 +7586,7 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: ghcr.io/kyverno/kyverno:v1.5.7 + image: ghcr.io/kyverno/kyverno:v1.5.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7638,7 +7638,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.5.7 + image: ghcr.io/kyverno/kyvernopre:v1.5.8 imagePullPolicy: IfNotPresent name: kyverno-pre resources: @@ -7670,7 +7670,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno namespace: kyverno spec: diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml index 9edd229024..f71c8c0847 100755 --- a/definitions/release/install.yaml +++ b/definitions/release/install.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno --- apiVersion: apiextensions.k8s.io/v1 @@ -23,7 +23,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -2074,7 +2074,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -2755,7 +2755,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: clusterreportchangerequests.kyverno.io spec: group: kyverno.io @@ -3436,7 +3436,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: generaterequests.kyverno.io spec: group: kyverno.io @@ -3632,7 +3632,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: policies.kyverno.io spec: group: kyverno.io @@ -5685,7 +5685,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -6364,7 +6364,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: reportchangerequests.kyverno.io spec: group: kyverno.io @@ -7043,7 +7043,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-service-account namespace: kyverno --- @@ -7057,7 +7057,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policies rules: @@ -7079,7 +7079,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-policyreport rules: @@ -7101,7 +7101,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 rbac.authorization.k8s.io/aggregate-to-admin: "true" name: kyverno:admin-reportchangerequest rules: @@ -7123,7 +7123,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:customresources rules: - apiGroups: @@ -7169,7 +7169,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:generatecontroller rules: - apiGroups: @@ -7204,7 +7204,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:leaderelection rules: - apiGroups: @@ -7228,7 +7228,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:policycontroller rules: - apiGroups: @@ -7251,7 +7251,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:userinfo rules: - apiGroups: @@ -7277,7 +7277,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:webhook rules: - apiGroups: @@ -7329,7 +7329,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:customresources roleRef: apiGroup: rbac.authorization.k8s.io @@ -7350,7 +7350,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:generatecontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -7371,7 +7371,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:leaderelection roleRef: apiGroup: rbac.authorization.k8s.io @@ -7392,7 +7392,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:policycontroller roleRef: apiGroup: rbac.authorization.k8s.io @@ -7413,7 +7413,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:userinfo roleRef: apiGroup: rbac.authorization.k8s.io @@ -7434,7 +7434,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno:webhook roleRef: apiGroup: rbac.authorization.k8s.io @@ -7459,7 +7459,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno namespace: kyverno --- @@ -7476,7 +7476,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-metrics namespace: kyverno --- @@ -7490,7 +7490,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-svc namespace: kyverno spec: @@ -7512,7 +7512,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno-svc-metrics namespace: kyverno spec: @@ -7534,7 +7534,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno namespace: kyverno spec: @@ -7557,7 +7557,7 @@ spec: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 spec: affinity: podAntiAffinity: @@ -7586,7 +7586,7 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: ghcr.io/kyverno/kyverno:v1.5.7 + image: ghcr.io/kyverno/kyverno:v1.5.8 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 2 @@ -7638,7 +7638,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: ghcr.io/kyverno/kyvernopre:v1.5.7 + image: ghcr.io/kyverno/kyvernopre:v1.5.8 imagePullPolicy: IfNotPresent name: kyverno-pre resources: @@ -7670,7 +7670,7 @@ metadata: app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/name: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 name: kyverno namespace: kyverno spec: diff --git a/definitions/release/kustomization.yaml b/definitions/release/kustomization.yaml index 3e9910e35e..d4560daa1d 100755 --- a/definitions/release/kustomization.yaml +++ b/definitions/release/kustomization.yaml @@ -9,6 +9,6 @@ transformers: images: - name: ghcr.io/kyverno/kyverno - newTag: v1.5.7 + newTag: v1.5.8 - name: ghcr.io/kyverno/kyvernopre - newTag: v1.5.7 + newTag: v1.5.8 diff --git a/definitions/release/labels.yaml b/definitions/release/labels.yaml index 4b4bf9c202..c5e857c6b2 100644 --- a/definitions/release/labels.yaml +++ b/definitions/release/labels.yaml @@ -4,7 +4,7 @@ kind: LabelTransformer metadata: name: labelTransformer labels: - app.kubernetes.io/version: v1.5.7 + app.kubernetes.io/version: v1.5.8 fieldSpecs: - path: metadata/labels create: true diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index 01dfb42d82..ee96cf2fd0 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -450,12 +450,37 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst } policyWithNamespaceSelector := false +OuterLoop: for _, p := range policy.Spec.Rules { if p.MatchResources.ResourceDescription.NamespaceSelector != nil || p.ExcludeResources.ResourceDescription.NamespaceSelector != nil { policyWithNamespaceSelector = true break } + for _, m := range p.MatchResources.Any { + if m.ResourceDescription.NamespaceSelector != nil { + policyWithNamespaceSelector = true + break OuterLoop + } + } + for _, m := range p.MatchResources.All { + if m.ResourceDescription.NamespaceSelector != nil { + policyWithNamespaceSelector = true + break OuterLoop + } + } + for _, e := range p.ExcludeResources.Any { + if e.ResourceDescription.NamespaceSelector != nil { + policyWithNamespaceSelector = true + break OuterLoop + } + } + for _, e := range p.ExcludeResources.All { + if e.ResourceDescription.NamespaceSelector != nil { + policyWithNamespaceSelector = true + break OuterLoop + } + } } if policyWithNamespaceSelector { diff --git a/test/cli/test/any-namespaceSelector/policy.yaml b/test/cli/test/any-namespaceSelector/policy.yaml new file mode 100644 index 0000000000..9bae40e88d --- /dev/null +++ b/test/cli/test/any-namespaceSelector/policy.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: enforce-pod-name +spec: + validationFailureAction: audit + background: true + rules: + - name: validate-name + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: foo.com/managed-state + operator: In + values: + - managed + validate: + message: "The Pod must end with -nginx" + pattern: + metadata: + name: "*-nginx" diff --git a/test/cli/test/any-namespaceSelector/resource.yaml b/test/cli/test/any-namespaceSelector/resource.yaml new file mode 100644 index 0000000000..23c2d7b9c9 --- /dev/null +++ b/test/cli/test/any-namespaceSelector/resource.yaml @@ -0,0 +1,9 @@ +kind: Pod +apiVersion: v1 +metadata: + name: test-nginx + namespace: test1 +spec: + containers: + - name: nginx + image: nginx:latest diff --git a/test/cli/test/any-namespaceSelector/test.yaml b/test/cli/test/any-namespaceSelector/test.yaml new file mode 100644 index 0000000000..e42d541d73 --- /dev/null +++ b/test/cli/test/any-namespaceSelector/test.yaml @@ -0,0 +1,14 @@ +--- +name: enforce-pod-name +policies: + - policy.yaml +resources: + - resource.yaml +variables: value.yaml +results: + - policy: enforce-pod-name + rule: validate-name + resource: test-nginx + kind: Pod + namespace: test1 + result: pass diff --git a/test/cli/test/any-namespaceSelector/value.yaml b/test/cli/test/any-namespaceSelector/value.yaml new file mode 100644 index 0000000000..f54cb7bc3a --- /dev/null +++ b/test/cli/test/any-namespaceSelector/value.yaml @@ -0,0 +1,4 @@ +namespaceSelector: + - name: test1 + labels: + foo.com/managed-state: managed