From fb90636776ed2c349375aad425e49def0bed4a71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 3 Sep 2024 17:20:37 +0200 Subject: [PATCH] feat: add rule openapi validation (#10990) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- api/kyverno/v1/match_resources_types.go | 1 + .../kyverno.io_clusterpolicies.yaml | 24 ++++++++++ .../kyverno.io/kyverno.io_policies.yaml | 24 ++++++++++ .../data/crds/kyverno.io_clusterpolicies.yaml | 24 ++++++++++ .../data/crds/kyverno.io_policies.yaml | 24 ++++++++++ .../kyverno/kyverno.io_clusterpolicies.yaml | 24 ++++++++++ config/crds/kyverno/kyverno.io_policies.yaml | 24 ++++++++++ config/install-latest-testing.yaml | 48 +++++++++++++++++++ 8 files changed, 193 insertions(+) diff --git a/api/kyverno/v1/match_resources_types.go b/api/kyverno/v1/match_resources_types.go index 7996767dd4..ba98078157 100644 --- a/api/kyverno/v1/match_resources_types.go +++ b/api/kyverno/v1/match_resources_types.go @@ -7,6 +7,7 @@ import ( // MatchResources is used to specify resource and admission review request data for // which a policy rule is applicable. +// +kubebuilder:not:={required:{any,all}} type MatchResources struct { // Any allows specifying resources which will be ORed // +optional diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 94568e2b77..0f7c60d3ad 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -366,6 +366,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -1557,6 +1561,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -5128,6 +5136,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6334,6 +6346,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -14509,6 +14525,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -15715,6 +15735,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 359b49c833..0423b0f318 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -367,6 +367,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -1558,6 +1562,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -5130,6 +5138,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6336,6 +6348,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -14512,6 +14528,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -15718,6 +15738,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 3a7cb88e23..1ec82a2d04 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -360,6 +360,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -1551,6 +1555,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -5122,6 +5130,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6328,6 +6340,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -14503,6 +14519,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -15709,6 +15729,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 7889d48202..50737bdc1d 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -361,6 +361,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -1552,6 +1556,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -5124,6 +5132,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6330,6 +6342,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -14506,6 +14522,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -15712,6 +15732,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 3a7cb88e23..1ec82a2d04 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -360,6 +360,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -1551,6 +1555,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -5122,6 +5130,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6328,6 +6340,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -14503,6 +14519,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -15709,6 +15729,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 7889d48202..50737bdc1d 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -361,6 +361,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -1552,6 +1556,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -5124,6 +5132,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6330,6 +6342,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -14506,6 +14522,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -15712,6 +15732,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index fe4d6e5d80..1d4cf1cd70 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -5515,6 +5515,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -6706,6 +6710,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -10277,6 +10285,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -11483,6 +11495,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -19658,6 +19674,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -20864,6 +20884,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -24810,6 +24834,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -26001,6 +26029,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -29573,6 +29605,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -30779,6 +30815,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -38955,6 +38995,10 @@ spec: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will @@ -40161,6 +40205,10 @@ spec: criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. + not: + required: + - any + - all properties: all: description: All allows specifying resources which will