mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
feat: migrate validationFailureAction and validationFailureActionOverrides (#10528)
* feat: migrate validationFailureAction and validationFailureActionOverrides under validate rule Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: add unit tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy
GitHub
parent
88ae60ea9d
commit
ff88c4c39a
32 changed files with 4676 additions and 269 deletions
|
|
@ -419,6 +419,19 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) {
|
|||
|
||||
// Validation defines checks to be performed on matching resources.
|
||||
type Validation struct {
|
||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
||||
// the admission review request (enforce), or allow (audit) the admission review request
|
||||
// and report an error in a policy report. Optional.
|
||||
// Allowed values are audit or enforce.
|
||||
// +optional
|
||||
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||
|
||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
// +optional
|
||||
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||
|
||||
// Message specifies a custom message to be displayed on failure.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty" yaml:"message,omitempty"`
|
||||
|
|
|
|||
|
|
@ -63,18 +63,12 @@ type Spec struct {
|
|||
// Deprecated, use failurePolicy under the webhookConfiguration instead.
|
||||
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
|
||||
|
||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
||||
// the admission review request (enforce), or allow (audit) the admission review request
|
||||
// and report an error in a policy report. Optional.
|
||||
// Allowed values are audit or enforce. The default value is "Audit".
|
||||
// +optional
|
||||
// Deprecated, use validationFailureAction under the validate rule instead.
|
||||
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||
// +kubebuilder:default=Audit
|
||||
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||
|
||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
// +optional
|
||||
// Deprecated, use validationFailureActionOverrides under the validate rule instead.
|
||||
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||
|
||||
// Admission controls if rules are applied during admission.
|
||||
|
|
@ -234,6 +228,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
|
|||
return *s.Background
|
||||
}
|
||||
|
||||
// GetValidationFailureAction returns the value of the validationFailureAction
|
||||
func (s *Spec) GetValidationFailureAction() ValidationFailureAction {
|
||||
for _, rule := range s.Rules {
|
||||
if rule.HasValidate() {
|
||||
validationFailureAction := rule.Validation.ValidationFailureAction
|
||||
if validationFailureAction != nil {
|
||||
return *validationFailureAction
|
||||
}
|
||||
}
|
||||
}
|
||||
return s.ValidationFailureAction
|
||||
}
|
||||
|
||||
// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides
|
||||
func (s *Spec) GetValidationFailureActionOverrides() []ValidationFailureActionOverride {
|
||||
for _, rule := range s.Rules {
|
||||
if rule.HasValidate() {
|
||||
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
||||
if len(validationFailureActionOverrides) != 0 {
|
||||
return validationFailureActionOverrides
|
||||
}
|
||||
}
|
||||
}
|
||||
return s.ValidationFailureActionOverrides
|
||||
}
|
||||
|
||||
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
|
||||
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
||||
for _, rule := range s.Rules {
|
||||
|
|
|
|||
|
|
@ -1585,6 +1585,18 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy
|
|||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *Validation) DeepCopyInto(out *Validation) {
|
||||
*out = *in
|
||||
if in.ValidationFailureAction != nil {
|
||||
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
||||
*out = new(ValidationFailureAction)
|
||||
**out = **in
|
||||
}
|
||||
if in.ValidationFailureActionOverrides != nil {
|
||||
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
|
||||
*out = make([]ValidationFailureActionOverride, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Manifests != nil {
|
||||
in, out := &in.Manifests, &out.Manifests
|
||||
*out = new(Manifests)
|
||||
|
|
|
|||
|
|
@ -8,6 +8,19 @@ import (
|
|||
|
||||
// Validation defines checks to be performed on matching resources.
|
||||
type Validation struct {
|
||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
||||
// the admission review request (enforce), or allow (audit) the admission review request
|
||||
// and report an error in a policy report. Optional.
|
||||
// Allowed values are audit or enforce.
|
||||
// +optional
|
||||
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||
|
||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
// +optional
|
||||
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||
|
||||
// Message specifies a custom message to be displayed on failure.
|
||||
// +optional
|
||||
Message string `json:"message,omitempty" yaml:"message,omitempty"`
|
||||
|
|
|
|||
|
|
@ -26,18 +26,12 @@ type Spec struct {
|
|||
// Deprecated, use failurePolicy under the webhookConfiguration instead.
|
||||
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
|
||||
|
||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
||||
// the admission review request (enforce), or allow (audit) the admission review request
|
||||
// and report an error in a policy report. Optional.
|
||||
// Allowed values are audit or enforce. The default value is "Audit".
|
||||
// +optional
|
||||
// Deprecated, use validationFailureAction under the validate rule instead.
|
||||
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||
// +kubebuilder:default=Audit
|
||||
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||
|
||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
// +optional
|
||||
// Deprecated, use validationFailureActionOverrides under the validate rule instead.
|
||||
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||
|
||||
// Admission controls if rules are applied during admission.
|
||||
|
|
@ -203,6 +197,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
|
|||
return *s.Background
|
||||
}
|
||||
|
||||
// GetValidationFailureAction returns the value of the validationFailureAction
|
||||
func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
|
||||
for _, rule := range s.Rules {
|
||||
if rule.HasValidate() {
|
||||
validationFailureAction := rule.Validation.ValidationFailureAction
|
||||
if validationFailureAction != nil {
|
||||
return *validationFailureAction
|
||||
}
|
||||
}
|
||||
}
|
||||
return s.ValidationFailureAction
|
||||
}
|
||||
|
||||
// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides
|
||||
func (s *Spec) GetValidationFailureActionOverrides() []kyvernov1.ValidationFailureActionOverride {
|
||||
for _, rule := range s.Rules {
|
||||
if rule.HasValidate() {
|
||||
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
||||
if len(validationFailureActionOverrides) != 0 {
|
||||
return validationFailureActionOverrides
|
||||
}
|
||||
}
|
||||
}
|
||||
return s.ValidationFailureActionOverrides
|
||||
}
|
||||
|
||||
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
|
||||
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
||||
for _, rule := range s.Rules {
|
||||
|
|
|
|||
|
|
@ -831,6 +831,18 @@ func (in *Spec) DeepCopy() *Spec {
|
|||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *Validation) DeepCopyInto(out *Validation) {
|
||||
*out = *in
|
||||
if in.ValidationFailureAction != nil {
|
||||
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
||||
*out = new(v1.ValidationFailureAction)
|
||||
**out = **in
|
||||
}
|
||||
if in.ValidationFailureActionOverrides != nil {
|
||||
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
|
||||
*out = make([]v1.ValidationFailureActionOverride, len(*in))
|
||||
for i := range *in {
|
||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||
}
|
||||
}
|
||||
if in.Manifests != nil {
|
||||
in, out := &in.Manifests, &out.Manifests
|
||||
*out = new(v1.Manifests)
|
||||
|
|
|
|||
|
|
@ -3429,6 +3429,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -4212,11 +4295,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -4224,9 +4304,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7713,6 +7792,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -11797,6 +11959,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -12549,11 +12794,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -12561,9 +12803,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -16050,6 +16291,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -3430,6 +3430,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -4213,11 +4296,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -4225,9 +4305,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7715,6 +7794,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -11800,6 +11962,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -12552,11 +12797,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -12564,9 +12806,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -16053,6 +16294,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -3423,6 +3423,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -4206,11 +4289,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -4218,9 +4298,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7707,6 +7786,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -11791,6 +11953,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -12543,11 +12788,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -12555,9 +12797,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -16044,6 +16285,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -3424,6 +3424,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -4207,11 +4290,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -4219,9 +4299,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7709,6 +7788,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -11794,6 +11956,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -12546,11 +12791,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -12558,9 +12800,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -16047,6 +16288,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -110,7 +110,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
|
|||
assert.NotNil(t, policy)
|
||||
spec := policy.GetSpec()
|
||||
assert.NotNil(t, spec)
|
||||
assert.True(t, spec.ValidationFailureAction.Audit())
|
||||
assert.True(t, spec.GetValidationFailureAction().Audit())
|
||||
assert.NotNil(t, spec.Background)
|
||||
assert.True(t, *spec.Background)
|
||||
assert.NotNil(t, spec.Admission)
|
||||
|
|
|
|||
|
|
@ -3423,6 +3423,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -4206,11 +4289,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -4218,9 +4298,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7707,6 +7786,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -11791,6 +11953,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -12543,11 +12788,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -12555,9 +12797,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -16044,6 +16285,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -3424,6 +3424,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -4207,11 +4290,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -4219,9 +4299,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -7709,6 +7788,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -11794,6 +11956,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -12546,11 +12791,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -12558,9 +12800,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -16047,6 +16288,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -8630,6 +8630,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -9413,11 +9496,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -9425,9 +9505,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -12914,6 +12993,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -16998,6 +17160,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -17750,11 +17995,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -17762,9 +18004,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -21251,6 +21492,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -25845,6 +26169,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -26628,11 +27035,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -26640,9 +27044,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -30130,6 +30533,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -34215,6 +34701,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the policy
|
||||
validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
selector requirements. The requirements are
|
||||
ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that the
|
||||
selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
@ -34967,11 +35536,8 @@ spec:
|
|||
type: boolean
|
||||
validationFailureAction:
|
||||
default: Audit
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".
|
||||
description: Deprecated, use validationFailureAction under the validate
|
||||
rule instead.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
|
|
@ -34979,9 +35545,8 @@ spec:
|
|||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
description: Deprecated, use validationFailureActionOverrides under
|
||||
the validate rule instead.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
|
|
@ -38468,6 +39033,89 @@ spec:
|
|||
- latest
|
||||
type: string
|
||||
type: object
|
||||
validationFailureAction:
|
||||
description: |-
|
||||
ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
validationFailureActionOverrides:
|
||||
description: |-
|
||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||
items:
|
||||
properties:
|
||||
action:
|
||||
description: ValidationFailureAction defines the
|
||||
policy validation failure action
|
||||
enum:
|
||||
- audit
|
||||
- enforce
|
||||
- Audit
|
||||
- Enforce
|
||||
type: string
|
||||
namespaceSelector:
|
||||
description: |-
|
||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||
label selector matches no objects.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of
|
||||
label selector requirements. The requirements
|
||||
are ANDed.
|
||||
items:
|
||||
description: |-
|
||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||
relates the key and values.
|
||||
properties:
|
||||
key:
|
||||
description: key is the label key that
|
||||
the selector applies to.
|
||||
type: string
|
||||
operator:
|
||||
description: |-
|
||||
operator represents a key's relationship to a set of values.
|
||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||
type: string
|
||||
values:
|
||||
description: |-
|
||||
values is an array of string values. If the operator is In or NotIn,
|
||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||
the values array must be empty. This array is replaced during a strategic
|
||||
merge patch.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
required:
|
||||
- key
|
||||
- operator
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-type: atomic
|
||||
matchLabels:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: |-
|
||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||
type: object
|
||||
type: object
|
||||
x-kubernetes-map-type: atomic
|
||||
namespaces:
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
verifyImages:
|
||||
description: VerifyImages is used to verify image signatures
|
||||
|
|
|
|||
|
|
@ -160,11 +160,7 @@ ValidationFailureAction
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -177,9 +173,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -428,11 +422,7 @@ ValidationFailureAction
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -445,9 +435,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -3951,11 +3939,7 @@ ValidationFailureAction
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -3968,9 +3952,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -4377,6 +4359,38 @@ It is an empty string when validating admission policy is successfully generated
|
|||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>validationFailureAction</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||
ValidationFailureAction
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>validationFailureActionOverrides</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
||||
[]ValidationFailureActionOverride
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>message</code><br/>
|
||||
<em>
|
||||
string
|
||||
|
|
@ -4495,8 +4509,10 @@ CEL
|
|||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.Spec">Spec</a>,
|
||||
<a href="#kyverno.io/v1.Validation">Validation</a>,
|
||||
<a href="#kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride</a>,
|
||||
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
|
||||
<a href="#kyverno.io/v2beta1.Spec">Spec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Validation">Validation</a>)
|
||||
</p>
|
||||
<p>
|
||||
<p>ValidationFailureAction defines the policy validation failure action</p>
|
||||
|
|
@ -4506,7 +4522,9 @@ CEL
|
|||
<p>
|
||||
(<em>Appears on:</em>
|
||||
<a href="#kyverno.io/v1.Spec">Spec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
|
||||
<a href="#kyverno.io/v1.Validation">Validation</a>,
|
||||
<a href="#kyverno.io/v2beta1.Spec">Spec</a>,
|
||||
<a href="#kyverno.io/v2beta1.Validation">Validation</a>)
|
||||
</p>
|
||||
<p>
|
||||
</p>
|
||||
|
|
@ -7375,11 +7393,7 @@ ValidationFailureAction
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -7392,9 +7406,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -7642,11 +7654,7 @@ ValidationFailureAction
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -7659,9 +7667,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -9029,11 +9035,7 @@ ValidationFailureAction
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -9046,9 +9048,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -9185,6 +9185,38 @@ WebhookConfiguration
|
|||
<tbody>
|
||||
<tr>
|
||||
<td>
|
||||
<code>validationFailureAction</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||
ValidationFailureAction
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>validationFailureActionOverrides</code><br/>
|
||||
<em>
|
||||
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
||||
[]ValidationFailureActionOverride
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>
|
||||
<code>message</code><br/>
|
||||
<em>
|
||||
string
|
||||
|
|
|
|||
|
|
@ -235,6 +235,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -249,10 +251,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -267,6 +266,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -281,8 +282,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -792,6 +792,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -806,10 +808,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -824,6 +823,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -838,8 +839,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -7827,6 +7827,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -7841,10 +7843,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -7859,6 +7858,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -7873,8 +7874,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -8740,6 +8740,68 @@ It is an empty string when validating admission policy is successfully generated
|
|||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<a href="#kyverno-io-v1-ValidationFailureAction">
|
||||
<span style="font-family: monospace">ValidationFailureAction</span>
|
||||
</a>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<a href="#kyverno-io-v1-ValidationFailureActionOverride">
|
||||
<span style="font-family: monospace">[]ValidationFailureActionOverride</span>
|
||||
</a>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>message</code>
|
||||
|
||||
|
|
@ -8979,6 +9041,7 @@ by specifying exclusions for Pod Security Standards controls.</p>
|
|||
<p>
|
||||
(<em>Appears in:</em>
|
||||
<a href="#kyverno-io-v1-Spec">Spec</a>,
|
||||
<a href="#kyverno-io-v1-Validation">Validation</a>,
|
||||
<a href="#kyverno-io-v1-ValidationFailureActionOverride">ValidationFailureActionOverride</a>)
|
||||
</p>
|
||||
|
||||
|
|
@ -8994,7 +9057,8 @@ by specifying exclusions for Pod Security Standards controls.</p>
|
|||
|
||||
<p>
|
||||
(<em>Appears in:</em>
|
||||
<a href="#kyverno-io-v1-Spec">Spec</a>)
|
||||
<a href="#kyverno-io-v1-Spec">Spec</a>,
|
||||
<a href="#kyverno-io-v1-Validation">Validation</a>)
|
||||
</p>
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -835,6 +835,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -849,10 +851,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -867,6 +866,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -881,8 +882,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -1394,6 +1394,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -1408,10 +1410,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -1426,6 +1425,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -1440,8 +1441,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -4165,6 +4165,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -4179,10 +4181,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -4197,6 +4196,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
<span style="color:blue;"> *</span>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
|
@ -4211,8 +4212,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
|||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||
|
||||
|
||||
|
||||
|
|
@ -4516,6 +4516,68 @@ Defaults to "false" if not specified.</p>
|
|||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>validationFailureAction</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<a href="#kyverno-io-v1-ValidationFailureAction">
|
||||
<span style="font-family: monospace">ValidationFailureAction</span>
|
||||
</a>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||
the admission review request (enforce), or allow (audit) the admission review request
|
||||
and report an error in a policy report. Optional.
|
||||
Allowed values are audit or enforce.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>validationFailureActionOverrides</code>
|
||||
|
||||
</br>
|
||||
|
||||
|
||||
|
||||
|
||||
<a href="#kyverno-io-v1-ValidationFailureActionOverride">
|
||||
<span style="font-family: monospace">[]ValidationFailureActionOverride</span>
|
||||
</a>
|
||||
|
||||
|
||||
</td>
|
||||
<td>
|
||||
|
||||
|
||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
<tr>
|
||||
<td><code>message</code>
|
||||
|
||||
|
|
|
|||
|
|
@ -19,20 +19,23 @@ limitations under the License.
|
|||
package v1
|
||||
|
||||
import (
|
||||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
)
|
||||
|
||||
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
||||
// with apply.
|
||||
type ValidationApplyConfiguration struct {
|
||||
Message *string `json:"message,omitempty"`
|
||||
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||
CEL *CELApplyConfiguration `json:"cel,omitempty"`
|
||||
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
||||
ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
|
||||
Message *string `json:"message,omitempty"`
|
||||
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||
CEL *CELApplyConfiguration `json:"cel,omitempty"`
|
||||
}
|
||||
|
||||
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
||||
|
|
@ -41,6 +44,27 @@ func Validation() *ValidationApplyConfiguration {
|
|||
return &ValidationApplyConfiguration{}
|
||||
}
|
||||
|
||||
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
||||
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
||||
b.ValidationFailureAction = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
|
||||
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
||||
for i := range values {
|
||||
if values[i] == nil {
|
||||
panic("nil value passed to WithValidationFailureActionOverrides")
|
||||
}
|
||||
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
// WithMessage sets the Message field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Message field is set to the value of the last call.
|
||||
|
|
|
|||
|
|
@ -19,21 +19,24 @@ limitations under the License.
|
|||
package v2beta1
|
||||
|
||||
import (
|
||||
v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
|
||||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
|
||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||
)
|
||||
|
||||
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
||||
// with apply.
|
||||
type ValidationApplyConfiguration struct {
|
||||
Message *string `json:"message,omitempty"`
|
||||
Manifests *v1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||
ForEachValidation []v1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||
PodSecurity *v1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||
CEL *v1.CELApplyConfiguration `json:"cel,omitempty"`
|
||||
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
||||
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
|
||||
Message *string `json:"message,omitempty"`
|
||||
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
|
||||
}
|
||||
|
||||
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
||||
|
|
@ -42,6 +45,27 @@ func Validation() *ValidationApplyConfiguration {
|
|||
return &ValidationApplyConfiguration{}
|
||||
}
|
||||
|
||||
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
||||
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
||||
b.ValidationFailureAction = &value
|
||||
return b
|
||||
}
|
||||
|
||||
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
|
||||
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
||||
for i := range values {
|
||||
if values[i] == nil {
|
||||
panic("nil value passed to WithValidationFailureActionOverrides")
|
||||
}
|
||||
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
|
||||
}
|
||||
return b
|
||||
}
|
||||
|
||||
// WithMessage sets the Message field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Message field is set to the value of the last call.
|
||||
|
|
@ -53,7 +77,7 @@ func (b *ValidationApplyConfiguration) WithMessage(value string) *ValidationAppl
|
|||
// WithManifests sets the Manifests field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the Manifests field is set to the value of the last call.
|
||||
func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
|
||||
func (b *ValidationApplyConfiguration) WithManifests(value *kyvernov1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
|
||||
b.Manifests = value
|
||||
return b
|
||||
}
|
||||
|
|
@ -61,7 +85,7 @@ func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyCon
|
|||
// WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration
|
||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||
// If called multiple times, values provided by each call will be appended to the ForEachValidation field.
|
||||
func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*v1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
|
||||
func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*kyvernov1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
|
||||
for i := range values {
|
||||
if values[i] == nil {
|
||||
panic("nil value passed to WithForEachValidation")
|
||||
|
|
@ -98,7 +122,7 @@ func (b *ValidationApplyConfiguration) WithDeny(value *DenyApplyConfiguration) *
|
|||
// WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the PodSecurity field is set to the value of the last call.
|
||||
func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
|
||||
func (b *ValidationApplyConfiguration) WithPodSecurity(value *kyvernov1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
|
||||
b.PodSecurity = value
|
||||
return b
|
||||
}
|
||||
|
|
@ -106,7 +130,7 @@ func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityAppl
|
|||
// WithCEL sets the CEL field in the declarative configuration to the given value
|
||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||
// If called multiple times, the CEL field is set to the value of the last call.
|
||||
func (b *ValidationApplyConfiguration) WithCEL(value *v1.CELApplyConfiguration) *ValidationApplyConfiguration {
|
||||
func (b *ValidationApplyConfiguration) WithCEL(value *kyvernov1.CELApplyConfiguration) *ValidationApplyConfiguration {
|
||||
b.CEL = value
|
||||
return b
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex
|
|||
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
|
||||
}
|
||||
// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
|
||||
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() {
|
||||
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() {
|
||||
err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
|
||||
if err != nil {
|
||||
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())
|
||||
|
|
|
|||
|
|
@ -199,7 +199,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
|
|||
return ""
|
||||
}
|
||||
spec := pol.AsKyvernoPolicy().GetSpec()
|
||||
for _, v := range spec.ValidationFailureActionOverrides {
|
||||
for _, v := range spec.GetValidationFailureActionOverrides() {
|
||||
if !v.Action.IsValid() {
|
||||
continue
|
||||
}
|
||||
|
|
@ -221,5 +221,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
|
|||
}
|
||||
}
|
||||
}
|
||||
return spec.ValidationFailureAction
|
||||
return spec.GetValidationFailureAction()
|
||||
}
|
||||
|
|
|
|||
|
|
@ -680,6 +680,8 @@ func TestEngineResponse_GetSuccessRules(t *testing.T) {
|
|||
func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||
resource := unstructured.Unstructured{}
|
||||
resource.SetNamespace("foo")
|
||||
audit := kyvernov1.Audit
|
||||
enforce := kyvernov1.Enforce
|
||||
type fields struct {
|
||||
PatchedResource unstructured.Unstructured
|
||||
GenericPolicy GenericPolicy
|
||||
|
|
@ -708,6 +710,36 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
|||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &audit,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}, {
|
||||
fields: fields{
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
|
|
@ -734,6 +766,44 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
|||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"*"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}, {
|
||||
fields: fields{
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: "invalid",
|
||||
Namespaces: []string{"*"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
PatchedResource: resource,
|
||||
|
|
@ -892,6 +962,212 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
|||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}, {
|
||||
fields: fields{
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"foo"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}, {
|
||||
fields: fields{
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"bar"},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
namespaceLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"bar": "foo",
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
namespaceLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}, {
|
||||
fields: fields{
|
||||
namespaceLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"foo"},
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"bar": "foo",
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
namespaceLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"bar"},
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Enforce,
|
||||
}, {
|
||||
fields: fields{
|
||||
namespaceLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"foo"},
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}, {
|
||||
fields: fields{
|
||||
namespaceLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
PatchedResource: resource,
|
||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||
Action: kyvernov1.Audit,
|
||||
Namespaces: []string{"*"},
|
||||
NamespaceSelector: &metav1.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
},
|
||||
}},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}),
|
||||
},
|
||||
want: kyvernov1.Audit,
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -77,6 +77,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp
|
|||
policyType = Namespaced
|
||||
}
|
||||
backgroundMode := ParsePolicyBackgroundMode(policy)
|
||||
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction)
|
||||
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction())
|
||||
return name, namespace, policyType, backgroundMode, validationMode, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,8 +78,8 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace
|
|||
}
|
||||
|
||||
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
|
||||
validationFailureAction := policy.GetSpec().ValidationFailureAction
|
||||
validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides
|
||||
validationFailureAction := policy.GetSpec().GetValidationFailureAction()
|
||||
validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides()
|
||||
if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -80,10 +80,10 @@ func newPolicyMap() *policyMap {
|
|||
}
|
||||
|
||||
func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
|
||||
if spec.ValidationFailureAction.Enforce() {
|
||||
if spec.GetValidationFailureAction().Enforce() {
|
||||
return true
|
||||
}
|
||||
for _, k := range spec.ValidationFailureActionOverrides {
|
||||
for _, k := range spec.GetValidationFailureActionOverrides() {
|
||||
if k.Action.Enforce() {
|
||||
return true
|
||||
}
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1al
|
|||
|
||||
// set validation action for vap binding
|
||||
var validationActions []admissionregistrationv1alpha1.ValidationAction
|
||||
action := cpol.GetSpec().ValidationFailureAction
|
||||
action := cpol.GetSpec().GetValidationFailureAction()
|
||||
if action.Enforce() {
|
||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
||||
} else if action.Audit() {
|
||||
|
|
|
|||
|
|
@ -19,12 +19,13 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
|
|||
return false, msg
|
||||
}
|
||||
|
||||
if len(spec.ValidationFailureActionOverrides) > 1 {
|
||||
validationFailureActionOverrides := spec.GetValidationFailureActionOverrides()
|
||||
if len(validationFailureActionOverrides) > 1 {
|
||||
msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable."
|
||||
return false, msg
|
||||
}
|
||||
|
||||
if len(spec.ValidationFailureActionOverrides) != 0 && len(spec.ValidationFailureActionOverrides[0].Namespaces) != 0 {
|
||||
if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 {
|
||||
msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable."
|
||||
return false, msg
|
||||
}
|
||||
|
|
|
|||
|
|
@ -391,6 +391,110 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
|
|||
]
|
||||
}
|
||||
}
|
||||
`),
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
name: "policy-with-multiple-validationFailureActionOverrides-in-validate-rule",
|
||||
policy: []byte(`
|
||||
{
|
||||
"apiVersion": "kyverno.io/v1",
|
||||
"kind": "ClusterPolicy",
|
||||
"metadata": {
|
||||
"name": "disallow-host-path"
|
||||
},
|
||||
"spec": {
|
||||
"rules": [
|
||||
{
|
||||
"name": "host-path",
|
||||
"match": {
|
||||
"any": [
|
||||
{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"validate": {
|
||||
"validationFailureAction": "Enforce",
|
||||
"validationFailureActionOverrides": [
|
||||
{
|
||||
"action": "Enforce",
|
||||
"namespaces": [
|
||||
"default"
|
||||
]
|
||||
},
|
||||
{
|
||||
"action": "Audit",
|
||||
"namespaces": [
|
||||
"test"
|
||||
]
|
||||
}
|
||||
],
|
||||
"cel": {
|
||||
"expressions": [
|
||||
{
|
||||
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
`),
|
||||
expected: false,
|
||||
},
|
||||
{
|
||||
name: "policy-with-namespace-in-validationFailureActionOverrides-in-validate-rule",
|
||||
policy: []byte(`
|
||||
{
|
||||
"apiVersion": "kyverno.io/v1",
|
||||
"kind": "ClusterPolicy",
|
||||
"metadata": {
|
||||
"name": "disallow-host-path"
|
||||
},
|
||||
"spec": {
|
||||
"rules": [
|
||||
{
|
||||
"name": "host-path",
|
||||
"match": {
|
||||
"any": [
|
||||
{
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"validate": {
|
||||
"validationFailureAction": "Enforce",
|
||||
"validationFailureActionOverrides": [
|
||||
{
|
||||
"action": "Enforce",
|
||||
"namespaces": [
|
||||
"test-ns"
|
||||
]
|
||||
}
|
||||
],
|
||||
"cel": {
|
||||
"expressions": [
|
||||
{
|
||||
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
`),
|
||||
expected: false,
|
||||
},
|
||||
|
|
|
|||
|
|
@ -116,10 +116,10 @@ func validateJSONPatch(patch string, ruleIdx int) error {
|
|||
|
||||
func checkValidationFailureAction(spec *kyvernov1.Spec) []string {
|
||||
msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead."
|
||||
if spec.ValidationFailureAction == "enforce" || spec.ValidationFailureAction == "audit" {
|
||||
if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" {
|
||||
return []string{msg}
|
||||
}
|
||||
for _, override := range spec.ValidationFailureActionOverrides {
|
||||
for _, override := range spec.GetValidationFailureActionOverrides() {
|
||||
if override.Action == "enforce" || override.Action == "audit" {
|
||||
return []string{msg}
|
||||
}
|
||||
|
|
@ -326,7 +326,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
|||
|
||||
if rule.HasVerifyImages() {
|
||||
isAuditFailureAction := false
|
||||
if spec.ValidationFailureAction == kyvernov1.Audit {
|
||||
if spec.GetValidationFailureAction() == kyvernov1.Audit {
|
||||
isAuditFailureAction = true
|
||||
}
|
||||
|
||||
|
|
@ -1555,7 +1555,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
|
|||
"auditW": sets.New[string](),
|
||||
}
|
||||
|
||||
for i, vfa := range s.ValidationFailureActionOverrides {
|
||||
for i, vfa := range s.GetValidationFailureActionOverrides() {
|
||||
if !vfa.Action.IsValid() {
|
||||
return fmt.Errorf("invalid action")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -117,7 +117,7 @@ func (v *validationHandler) HandleValidationEnforce(
|
|||
|
||||
engineResponses = append(engineResponses, engineResponse)
|
||||
if !engineResponse.IsSuccessful() {
|
||||
logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
|
||||
logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
|
|
@ -62,6 +62,38 @@ func TestBlockRequest(t *testing.T) {
|
|||
ValidationFailureAction: kyvernov1.Enforce,
|
||||
},
|
||||
})
|
||||
audit := kyvernov1.Audit
|
||||
auditRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Name: "rule-audit",
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &audit,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
enforce := kyvernov1.Enforce
|
||||
enforceRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
Spec: kyvernov1.Spec{
|
||||
Rules: []kyvernov1.Rule{
|
||||
{
|
||||
Name: "rule-enforce",
|
||||
Validation: kyvernov1.Validation{
|
||||
ValidationFailureAction: &enforce,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
resource := unstructured.Unstructured{
|
||||
Object: map[string]interface{}{
|
||||
"kind": "foo",
|
||||
|
|
@ -164,6 +196,90 @@ func TestBlockRequest(t *testing.T) {
|
|||
log: logr.Discard(),
|
||||
},
|
||||
want: false,
|
||||
}, {
|
||||
name: "failure - enforce",
|
||||
args: args{
|
||||
engineResponses: []engineapi.EngineResponse{
|
||||
engineapi.NewEngineResponse(resource, enforceRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||
Rules: []engineapi.RuleResponse{
|
||||
*engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
|
||||
},
|
||||
}),
|
||||
},
|
||||
failurePolicy: kyvernov1.Fail,
|
||||
log: logr.Discard(),
|
||||
},
|
||||
want: true,
|
||||
}, {
|
||||
name: "failure - audit",
|
||||
args: args{
|
||||
engineResponses: []engineapi.EngineResponse{
|
||||
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||
Rules: []engineapi.RuleResponse{
|
||||
*engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
|
||||
},
|
||||
}),
|
||||
},
|
||||
failurePolicy: kyvernov1.Fail,
|
||||
log: logr.Discard(),
|
||||
},
|
||||
want: false,
|
||||
}, {
|
||||
name: "error - fail",
|
||||
args: args{
|
||||
engineResponses: []engineapi.EngineResponse{
|
||||
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||
Rules: []engineapi.RuleResponse{
|
||||
*engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
|
||||
},
|
||||
}),
|
||||
},
|
||||
failurePolicy: kyvernov1.Fail,
|
||||
log: logr.Discard(),
|
||||
},
|
||||
want: true,
|
||||
}, {
|
||||
name: "error - ignore",
|
||||
args: args{
|
||||
engineResponses: []engineapi.EngineResponse{
|
||||
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||
Rules: []engineapi.RuleResponse{
|
||||
*engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
|
||||
},
|
||||
}),
|
||||
},
|
||||
failurePolicy: kyvernov1.Ignore,
|
||||
log: logr.Discard(),
|
||||
},
|
||||
want: false,
|
||||
}, {
|
||||
name: "warning - ignore",
|
||||
args: args{
|
||||
engineResponses: []engineapi.EngineResponse{
|
||||
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||
Rules: []engineapi.RuleResponse{
|
||||
*engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
|
||||
},
|
||||
}),
|
||||
},
|
||||
failurePolicy: kyvernov1.Ignore,
|
||||
log: logr.Discard(),
|
||||
},
|
||||
want: false,
|
||||
}, {
|
||||
name: "warning - fail",
|
||||
args: args{
|
||||
engineResponses: []engineapi.EngineResponse{
|
||||
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||
Rules: []engineapi.RuleResponse{
|
||||
*engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
|
||||
},
|
||||
}),
|
||||
},
|
||||
failurePolicy: kyvernov1.Fail,
|
||||
log: logr.Discard(),
|
||||
},
|
||||
want: false,
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue