ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.
+Deprecated, use validationFailureAction under the validate rule instead.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.
+Deprecated, use validationFailureAction under the validate rule instead.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.
+Deprecated, use validationFailureAction under the validate rule instead.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
validationFailureActionValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.
+validationFailureActionOverridesValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+message(Appears on: Spec, +Validation, ValidationFailureActionOverride, -Spec) +Spec, +Validation)
ValidationFailureAction defines the policy validation failure action
@@ -4506,7 +4522,9 @@ CEL(Appears on: Spec, -Spec) +Validation, +Spec, +Validation)
@@ -7375,11 +7393,7 @@ ValidationFailureAction
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.
+Deprecated, use validationFailureAction under the validate rule instead.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.
+Deprecated, use validationFailureAction under the validate rule instead.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.
+Deprecated, use validationFailureAction under the validate rule instead.
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
validationFailureActionValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.
+validationFailureActionOverridesValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+messageAll all rules in the policy are processed. The default is validationFailureAction
+ *
+
@@ -249,10 +251,7 @@ set to All all rules in the policy are processed. The default is ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".
+Deprecated, use validationFailureAction under the validate rule instead.
@@ -267,6 +266,8 @@ Allowed values are audit or enforce. The default value is "Audit".validationFailureActionOverrides
+ *
+
@@ -281,8 +282,7 @@ Allowed values are audit or enforce. The default value is "Audit".
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
@@ -792,6 +792,8 @@ set toAll all rules in the policy are processed. The default is validationFailureAction
+ *
+
@@ -806,10 +808,7 @@ set to All all rules in the policy are processed. The default is ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".
+Deprecated, use validationFailureAction under the validate rule instead.
@@ -824,6 +823,8 @@ Allowed values are audit or enforce. The default value is "Audit".validationFailureActionOverrides
+ *
+
@@ -838,8 +839,7 @@ Allowed values are audit or enforce. The default value is "Audit".
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
@@ -7827,6 +7827,8 @@ set toAll all rules in the policy are processed. The default is validationFailureAction
+ *
+
@@ -7841,10 +7843,7 @@ set to All all rules in the policy are processed. The default is ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".
+Deprecated, use validationFailureAction under the validate rule instead.
@@ -7859,6 +7858,8 @@ Allowed values are audit or enforce. The default value is "Audit".validationFailureActionOverrides
+ *
+
@@ -7873,8 +7874,7 @@ Allowed values are audit or enforce. The default value is "Audit".
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
@@ -8740,6 +8740,68 @@ It is an empty string when validating admission policy is successfully generated +validationFailureAction
+
+
+
+
+
+
+
+ ValidationFailureAction
+
+
+
+ ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.
+ + + + + +validationFailureActionOverrides
+
+
+
+
+
+
+
+ []ValidationFailureActionOverride
+
+
+
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ + + + + +message
@@ -8979,6 +9041,7 @@ by specifying exclusions for Pod Security Standards controls.
(Appears in: Spec, + Validation, ValidationFailureActionOverride)
@@ -8994,7 +9057,8 @@ by specifying exclusions for Pod Security Standards controls.(Appears in: - Spec) + Spec, + Validation)
diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html index 3b3b3efb82..495749aab6 100644 --- a/docs/user/crd/kyverno.v2beta1.html +++ b/docs/user/crd/kyverno.v2beta1.html @@ -835,6 +835,8 @@ set toAll all rules in the policy are processed. The default is validationFailureAction
+ *
+
@@ -849,10 +851,7 @@ set to All all rules in the policy are processed. The default is ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".
+Deprecated, use validationFailureAction under the validate rule instead.
@@ -867,6 +866,8 @@ Allowed values are audit or enforce. The default value is "Audit".validationFailureActionOverrides
+ *
+
@@ -881,8 +882,7 @@ Allowed values are audit or enforce. The default value is "Audit".
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
@@ -1394,6 +1394,8 @@ set toAll all rules in the policy are processed. The default is validationFailureAction
+ *
+
@@ -1408,10 +1410,7 @@ set to All all rules in the policy are processed. The default is ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".
+Deprecated, use validationFailureAction under the validate rule instead.
@@ -1426,6 +1425,8 @@ Allowed values are audit or enforce. The default value is "Audit".validationFailureActionOverrides
+ *
+
@@ -1440,8 +1441,7 @@ Allowed values are audit or enforce. The default value is "Audit".
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
@@ -4165,6 +4165,8 @@ set toAll all rules in the policy are processed. The default is validationFailureAction
+ *
+
@@ -4179,10 +4181,7 @@ set to All all rules in the policy are processed. The default is ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".
+Deprecated, use validationFailureAction under the validate rule instead.
@@ -4197,6 +4196,8 @@ Allowed values are audit or enforce. The default value is "Audit".validationFailureActionOverrides
+ *
+
@@ -4211,8 +4212,7 @@ Allowed values are audit or enforce. The default value is "Audit".
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+Deprecated, use validationFailureActionOverrides under the validate rule instead.
@@ -4516,6 +4516,68 @@ Defaults to "false" if not specified. +validationFailureAction
+
+
+
+
+
+
+
+ ValidationFailureAction
+
+
+
+ ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.
+ + + + + +validationFailureActionOverrides
+
+
+
+
+
+
+
+ []ValidationFailureActionOverride
+
+
+
+ ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+ + + + + +message
diff --git a/pkg/client/applyconfigurations/kyverno/v1/validation.go b/pkg/client/applyconfigurations/kyverno/v1/validation.go
index 4f291f5d60..e7e1ac9c27 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/validation.go
+++ b/pkg/client/applyconfigurations/kyverno/v1/validation.go
@@ -19,20 +19,23 @@ limitations under the License.
package v1
import (
+ v1 "github.com/kyverno/kyverno/api/kyverno/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
)
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply.
type ValidationApplyConfiguration struct {
- Message *string `json:"message,omitempty"`
- Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
- ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
- RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
- RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
- Deny *DenyApplyConfiguration `json:"deny,omitempty"`
- PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
- CEL *CELApplyConfiguration `json:"cel,omitempty"`
+ ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
+ ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
+ Message *string `json:"message,omitempty"`
+ Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
+ ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
+ RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
+ RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
+ Deny *DenyApplyConfiguration `json:"deny,omitempty"`
+ PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
+ CEL *CELApplyConfiguration `json:"cel,omitempty"`
}
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@@ -41,6 +44,27 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{}
}
+// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
+func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
+ b.ValidationFailureAction = &value
+ return b
+}
+
+// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
+func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithValidationFailureActionOverrides")
+ }
+ b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
+ }
+ return b
+}
+
// WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call.
diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go b/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go
index 08bda8813c..bac8683ee2 100644
--- a/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go
+++ b/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go
@@ -19,21 +19,24 @@ limitations under the License.
package v2beta1
import (
- v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
+ v1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
)
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply.
type ValidationApplyConfiguration struct {
- Message *string `json:"message,omitempty"`
- Manifests *v1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
- ForEachValidation []v1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
- RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
- RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
- Deny *DenyApplyConfiguration `json:"deny,omitempty"`
- PodSecurity *v1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
- CEL *v1.CELApplyConfiguration `json:"cel,omitempty"`
+ ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
+ ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
+ Message *string `json:"message,omitempty"`
+ Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
+ ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
+ RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
+ RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
+ Deny *DenyApplyConfiguration `json:"deny,omitempty"`
+ PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
+ CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
}
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@@ -42,6 +45,27 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{}
}
+// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
+func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
+ b.ValidationFailureAction = &value
+ return b
+}
+
+// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
+func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithValidationFailureActionOverrides")
+ }
+ b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
+ }
+ return b
+}
+
// WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call.
@@ -53,7 +77,7 @@ func (b *ValidationApplyConfiguration) WithMessage(value string) *ValidationAppl
// WithManifests sets the Manifests field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Manifests field is set to the value of the last call.
-func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
+func (b *ValidationApplyConfiguration) WithManifests(value *kyvernov1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
b.Manifests = value
return b
}
@@ -61,7 +85,7 @@ func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyCon
// WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ForEachValidation field.
-func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*v1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
+func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*kyvernov1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithForEachValidation")
@@ -98,7 +122,7 @@ func (b *ValidationApplyConfiguration) WithDeny(value *DenyApplyConfiguration) *
// WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PodSecurity field is set to the value of the last call.
-func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
+func (b *ValidationApplyConfiguration) WithPodSecurity(value *kyvernov1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
b.PodSecurity = value
return b
}
@@ -106,7 +130,7 @@ func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityAppl
// WithCEL sets the CEL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CEL field is set to the value of the last call.
-func (b *ValidationApplyConfiguration) WithCEL(value *v1.CELApplyConfiguration) *ValidationApplyConfiguration {
+func (b *ValidationApplyConfiguration) WithCEL(value *kyvernov1.CELApplyConfiguration) *ValidationApplyConfiguration {
b.CEL = value
return b
}
diff --git a/pkg/controllers/metrics/policy/metrics.go b/pkg/controllers/metrics/policy/metrics.go
index 10e6db8683..38e0b89c7c 100644
--- a/pkg/controllers/metrics/policy/metrics.go
+++ b/pkg/controllers/metrics/policy/metrics.go
@@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
}
// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
- if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() {
+ if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() {
err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
if err != nil {
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())
diff --git a/pkg/engine/api/engineresponse.go b/pkg/engine/api/engineresponse.go
index 9aabca04c7..7788c3709e 100644
--- a/pkg/engine/api/engineresponse.go
+++ b/pkg/engine/api/engineresponse.go
@@ -199,7 +199,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
return ""
}
spec := pol.AsKyvernoPolicy().GetSpec()
- for _, v := range spec.ValidationFailureActionOverrides {
+ for _, v := range spec.GetValidationFailureActionOverrides() {
if !v.Action.IsValid() {
continue
}
@@ -221,5 +221,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
}
}
}
- return spec.ValidationFailureAction
+ return spec.GetValidationFailureAction()
}
diff --git a/pkg/engine/api/engineresponse_test.go b/pkg/engine/api/engineresponse_test.go
index b6d0fbf9e3..83da05ef4f 100644
--- a/pkg/engine/api/engineresponse_test.go
+++ b/pkg/engine/api/engineresponse_test.go
@@ -680,6 +680,8 @@ func TestEngineResponse_GetSuccessRules(t *testing.T) {
func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
resource := unstructured.Unstructured{}
resource.SetNamespace("foo")
+ audit := kyvernov1.Audit
+ enforce := kyvernov1.Enforce
type fields struct {
PatchedResource unstructured.Unstructured
GenericPolicy GenericPolicy
@@ -708,6 +710,36 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}),
},
want: kyvernov1.Enforce,
+ }, {
+ fields: fields{
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &audit,
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Audit,
+ }, {
+ fields: fields{
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Enforce,
}, {
fields: fields{
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
@@ -734,6 +766,44 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}),
},
want: kyvernov1.Enforce,
+ }, {
+ fields: fields{
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"*"},
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Audit,
+ }, {
+ fields: fields{
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: "invalid",
+ Namespaces: []string{"*"},
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Enforce,
}, {
fields: fields{
PatchedResource: resource,
@@ -892,6 +962,212 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}),
},
want: kyvernov1.Audit,
+ }, {
+ fields: fields{
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"foo"},
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Audit,
+ }, {
+ fields: fields{
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"bar"},
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Enforce,
+ }, {
+ fields: fields{
+ namespaceLabels: map[string]string{
+ "foo": "bar",
+ },
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ NamespaceSelector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "bar": "foo",
+ },
+ },
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Enforce,
+ }, {
+ fields: fields{
+ namespaceLabels: map[string]string{
+ "foo": "bar",
+ },
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ NamespaceSelector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "foo": "bar",
+ },
+ },
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Audit,
+ }, {
+ fields: fields{
+ namespaceLabels: map[string]string{
+ "foo": "bar",
+ },
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"foo"},
+ NamespaceSelector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "bar": "foo",
+ },
+ },
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Enforce,
+ }, {
+ fields: fields{
+ namespaceLabels: map[string]string{
+ "foo": "bar",
+ },
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"bar"},
+ NamespaceSelector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "foo": "bar",
+ },
+ },
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Enforce,
+ }, {
+ fields: fields{
+ namespaceLabels: map[string]string{
+ "foo": "bar",
+ },
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"foo"},
+ NamespaceSelector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "foo": "bar",
+ },
+ },
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Audit,
+ }, {
+ fields: fields{
+ namespaceLabels: map[string]string{
+ "foo": "bar",
+ },
+ PatchedResource: resource,
+ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
+ Action: kyvernov1.Audit,
+ Namespaces: []string{"*"},
+ NamespaceSelector: &metav1.LabelSelector{
+ MatchLabels: map[string]string{
+ "foo": "bar",
+ },
+ },
+ }},
+ },
+ },
+ },
+ },
+ }),
+ },
+ want: kyvernov1.Audit,
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go
index 09d092ce21..ef65e31ac8 100644
--- a/pkg/metrics/parsers.go
+++ b/pkg/metrics/parsers.go
@@ -77,6 +77,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp
policyType = Namespaced
}
backgroundMode := ParsePolicyBackgroundMode(policy)
- validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction)
+ validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction())
return name, namespace, policyType, backgroundMode, validationMode, err
}
diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go
index a000c0772f..2f2aab1c2b 100644
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@@ -78,8 +78,8 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace
}
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
- validationFailureAction := policy.GetSpec().ValidationFailureAction
- validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides
+ validationFailureAction := policy.GetSpec().GetValidationFailureAction()
+ validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides()
if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
return false
}
diff --git a/pkg/policycache/store.go b/pkg/policycache/store.go
index 94afba7f1e..9f67f4c14b 100644
--- a/pkg/policycache/store.go
+++ b/pkg/policycache/store.go
@@ -80,10 +80,10 @@ func newPolicyMap() *policyMap {
}
func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
- if spec.ValidationFailureAction.Enforce() {
+ if spec.GetValidationFailureAction().Enforce() {
return true
}
- for _, k := range spec.ValidationFailureActionOverrides {
+ for _, k := range spec.GetValidationFailureActionOverrides() {
if k.Action.Enforce() {
return true
}
diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go
index bbc5e92ed0..9a16196809 100644
--- a/pkg/validatingadmissionpolicy/builder.go
+++ b/pkg/validatingadmissionpolicy/builder.go
@@ -77,7 +77,7 @@ func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1al
// set validation action for vap binding
var validationActions []admissionregistrationv1alpha1.ValidationAction
- action := cpol.GetSpec().ValidationFailureAction
+ action := cpol.GetSpec().GetValidationFailureAction()
if action.Enforce() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
} else if action.Audit() {
diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
index 710f1303d9..4d482c34ce 100644
--- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
+++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
@@ -19,12 +19,13 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
return false, msg
}
- if len(spec.ValidationFailureActionOverrides) > 1 {
+ validationFailureActionOverrides := spec.GetValidationFailureActionOverrides()
+ if len(validationFailureActionOverrides) > 1 {
msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable."
return false, msg
}
- if len(spec.ValidationFailureActionOverrides) != 0 && len(spec.ValidationFailureActionOverrides[0].Namespaces) != 0 {
+ if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 {
msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable."
return false, msg
}
diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
index 957994639f..6b1c63c7c5 100644
--- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
+++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
@@ -391,6 +391,110 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
]
}
}
+`),
+ expected: false,
+ },
+ {
+ name: "policy-with-multiple-validationFailureActionOverrides-in-validate-rule",
+ policy: []byte(`
+{
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "disallow-host-path"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "host-path",
+ "match": {
+ "any": [
+ {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ }
+ ]
+ },
+ "validate": {
+ "validationFailureAction": "Enforce",
+ "validationFailureActionOverrides": [
+ {
+ "action": "Enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "Audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "cel": {
+ "expressions": [
+ {
+ "expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+}
+`),
+ expected: false,
+ },
+ {
+ name: "policy-with-namespace-in-validationFailureActionOverrides-in-validate-rule",
+ policy: []byte(`
+{
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "disallow-host-path"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "host-path",
+ "match": {
+ "any": [
+ {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ }
+ ]
+ },
+ "validate": {
+ "validationFailureAction": "Enforce",
+ "validationFailureActionOverrides": [
+ {
+ "action": "Enforce",
+ "namespaces": [
+ "test-ns"
+ ]
+ }
+ ],
+ "cel": {
+ "expressions": [
+ {
+ "expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+}
`),
expected: false,
},
diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go
index e7fba25a6a..6a550913cc 100644
--- a/pkg/validation/policy/validate.go
+++ b/pkg/validation/policy/validate.go
@@ -116,10 +116,10 @@ func validateJSONPatch(patch string, ruleIdx int) error {
func checkValidationFailureAction(spec *kyvernov1.Spec) []string {
msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead."
- if spec.ValidationFailureAction == "enforce" || spec.ValidationFailureAction == "audit" {
+ if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" {
return []string{msg}
}
- for _, override := range spec.ValidationFailureActionOverrides {
+ for _, override := range spec.GetValidationFailureActionOverrides() {
if override.Action == "enforce" || override.Action == "audit" {
return []string{msg}
}
@@ -326,7 +326,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
if rule.HasVerifyImages() {
isAuditFailureAction := false
- if spec.ValidationFailureAction == kyvernov1.Audit {
+ if spec.GetValidationFailureAction() == kyvernov1.Audit {
isAuditFailureAction = true
}
@@ -1555,7 +1555,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
"auditW": sets.New[string](),
}
- for i, vfa := range s.ValidationFailureActionOverrides {
+ for i, vfa := range s.GetValidationFailureActionOverrides() {
if !vfa.Action.IsValid() {
return fmt.Errorf("invalid action")
}
diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go
index b98658aa6a..441b24418d 100644
--- a/pkg/webhooks/resource/validation/validation.go
+++ b/pkg/webhooks/resource/validation/validation.go
@@ -117,7 +117,7 @@ func (v *validationHandler) HandleValidationEnforce(
engineResponses = append(engineResponses, engineResponse)
if !engineResponse.IsSuccessful() {
- logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
+ logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
return
}
diff --git a/pkg/webhooks/resource/validation_test.go b/pkg/webhooks/resource/validation_test.go
index 47f1e43d14..8752d9e667 100644
--- a/pkg/webhooks/resource/validation_test.go
+++ b/pkg/webhooks/resource/validation_test.go
@@ -1051,6 +1051,1028 @@ func TestValidate_failure_action_overrides(t *testing.T) {
"kubernetes.io/metadata.name": "dev",
},
},
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "audit",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "default"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "audit",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "labels": {
+ "app": "my-app"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: false,
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "audit",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "test"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: false,
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "default"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "labels": {
+ "app": "my-app"
+ }
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: false,
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "test"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: false,
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "default"
+ ]
+ },
+ {
+ "action": "audit",
+ "namespaces": [
+ "test"
+ ]
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": ""
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ messages: map[string]string{
+ "check-label-app": "validation error: The label 'app' is required. rule check-label-app failed at path /metadata/labels/",
+ },
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "audit",
+ "namespaces": [
+ "dev"
+ ],
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "prod"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "default"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ messages: map[string]string{
+ "check-label-app": "validation error: The label 'app' is required. rule check-label-app failed at path /metadata/labels/",
+ },
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "audit",
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "prod"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "prod"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: false,
+ rawResourceNamespaceLabels: map[string]string{
+ "kubernetes.io/metadata.name": "prod",
+ },
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "audit",
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "prod"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "default"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ messages: map[string]string{
+ "check-label-app": "validation error: The label 'app' is required. rule check-label-app failed at path /metadata/labels/",
+ },
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "audit",
+ "namespaces": [
+ "dev"
+ ],
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "prod"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "dev"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ rawResourceNamespaceLabels: map[string]string{
+ "kubernetes.io/metadata.name": "dev",
+ },
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "enforce",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "audit",
+ "namespaces": [
+ "dev"
+ ],
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "prod"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "prod"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ rawResourceNamespaceLabels: map[string]string{
+ "kubernetes.io/metadata.name": "prod",
+ },
+ },
+ {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "audit",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "dev"
+ ],
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "prod"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "dev"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: false,
+ rawResourceNamespaceLabels: map[string]string{
+ "kubernetes.io/metadata.name": "dev",
+ },
+ }, {
+ rawPolicy: []byte(`
+ {
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "check-label-app"
+ },
+ "spec": {
+ "rules": [
+ {
+ "name": "check-label-app",
+ "match": {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ },
+ "validate": {
+ "validationFailureAction": "audit",
+ "validationFailureActionOverrides":
+ [
+ {
+ "action": "enforce",
+ "namespaces": [
+ "dev"
+ ],
+ "namespaceSelector": {
+ "matchExpressions": [{
+ "key" : "kubernetes.io/metadata.name",
+ "operator": "In",
+ "values": [
+ "dev"
+ ]
+ }]
+ }
+ }
+ ],
+ "message": "The label 'app' is required.",
+ "pattern": {
+ "metadata": {
+ "labels": {
+ "app": "?*"
+ }
+ }
+ }
+ }
+ }
+ ]
+ }
+ }
+ `),
+ rawResource: []byte(`
+ {
+ "apiVersion": "v1",
+ "kind": "Pod",
+ "metadata": {
+ "name": "test-pod",
+ "namespace": "dev"
+ },
+ "spec": {
+ "containers": [
+ {
+ "name": "nginx",
+ "image": "nginx:latest"
+ }
+ ]
+ }
+ }
+ `),
+ blocked: true,
+ rawResourceNamespaceLabels: map[string]string{
+ "kubernetes.io/metadata.name": "dev",
+ },
+ },
}
cfg := config.NewDefaultConfiguration(false)
jp := jmespath.New(cfg)
diff --git a/pkg/webhooks/utils/block_test.go b/pkg/webhooks/utils/block_test.go
index 495ef2961d..2375344e7d 100644
--- a/pkg/webhooks/utils/block_test.go
+++ b/pkg/webhooks/utils/block_test.go
@@ -62,6 +62,38 @@ func TestBlockRequest(t *testing.T) {
ValidationFailureAction: kyvernov1.Enforce,
},
})
+ audit := kyvernov1.Audit
+ auditRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ ObjectMeta: v1.ObjectMeta{
+ Name: "test",
+ },
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Name: "rule-audit",
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &audit,
+ },
+ },
+ },
+ },
+ })
+ enforce := kyvernov1.Enforce
+ enforceRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
+ ObjectMeta: v1.ObjectMeta{
+ Name: "test",
+ },
+ Spec: kyvernov1.Spec{
+ Rules: []kyvernov1.Rule{
+ {
+ Name: "rule-enforce",
+ Validation: kyvernov1.Validation{
+ ValidationFailureAction: &enforce,
+ },
+ },
+ },
+ },
+ })
resource := unstructured.Unstructured{
Object: map[string]interface{}{
"kind": "foo",
@@ -164,6 +196,90 @@ func TestBlockRequest(t *testing.T) {
log: logr.Discard(),
},
want: false,
+ }, {
+ name: "failure - enforce",
+ args: args{
+ engineResponses: []engineapi.EngineResponse{
+ engineapi.NewEngineResponse(resource, enforceRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
+ Rules: []engineapi.RuleResponse{
+ *engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
+ },
+ }),
+ },
+ failurePolicy: kyvernov1.Fail,
+ log: logr.Discard(),
+ },
+ want: true,
+ }, {
+ name: "failure - audit",
+ args: args{
+ engineResponses: []engineapi.EngineResponse{
+ engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
+ Rules: []engineapi.RuleResponse{
+ *engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
+ },
+ }),
+ },
+ failurePolicy: kyvernov1.Fail,
+ log: logr.Discard(),
+ },
+ want: false,
+ }, {
+ name: "error - fail",
+ args: args{
+ engineResponses: []engineapi.EngineResponse{
+ engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
+ Rules: []engineapi.RuleResponse{
+ *engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
+ },
+ }),
+ },
+ failurePolicy: kyvernov1.Fail,
+ log: logr.Discard(),
+ },
+ want: true,
+ }, {
+ name: "error - ignore",
+ args: args{
+ engineResponses: []engineapi.EngineResponse{
+ engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
+ Rules: []engineapi.RuleResponse{
+ *engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
+ },
+ }),
+ },
+ failurePolicy: kyvernov1.Ignore,
+ log: logr.Discard(),
+ },
+ want: false,
+ }, {
+ name: "warning - ignore",
+ args: args{
+ engineResponses: []engineapi.EngineResponse{
+ engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
+ Rules: []engineapi.RuleResponse{
+ *engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
+ },
+ }),
+ },
+ failurePolicy: kyvernov1.Ignore,
+ log: logr.Discard(),
+ },
+ want: false,
+ }, {
+ name: "warning - fail",
+ args: args{
+ engineResponses: []engineapi.EngineResponse{
+ engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
+ Rules: []engineapi.RuleResponse{
+ *engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
+ },
+ }),
+ },
+ failurePolicy: kyvernov1.Fail,
+ log: logr.Discard(),
+ },
+ want: false,
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {