From ff88c4c39ac93939332a8601f4c7402dfad59309 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Wed, 26 Jun 2024 15:13:02 +0800 Subject: [PATCH] feat: migrate validationFailureAction and validationFailureActionOverrides (#10528) * feat: migrate validationFailureAction and validationFailureActionOverrides under validate rule Signed-off-by: Mariam Fahmy * feat: add unit tests Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy --- api/kyverno/v1/common_types.go | 13 + api/kyverno/v1/spec_types.go | 36 +- api/kyverno/v1/zz_generated.deepcopy.go | 12 + api/kyverno/v2beta1/common_types.go | 13 + api/kyverno/v2beta1/spec_types.go | 36 +- api/kyverno/v2beta1/zz_generated.deepcopy.go | 12 + .../kyverno.io_clusterpolicies.yaml | 356 +++++- .../kyverno.io/kyverno.io_policies.yaml | 356 +++++- .../data/crds/kyverno.io_clusterpolicies.yaml | 356 +++++- .../data/crds/kyverno.io_policies.yaml | 356 +++++- cmd/cli/kubectl-kyverno/policy/load_test.go | 2 +- .../kyverno/kyverno.io_clusterpolicies.yaml | 356 +++++- config/crds/kyverno/kyverno.io_policies.yaml | 356 +++++- config/install-latest-testing.yaml | 712 +++++++++++- docs/user/crd/index.html | 132 ++- docs/user/crd/kyverno.v1.html | 102 +- docs/user/crd/kyverno.v2beta1.html | 98 +- .../kyverno/v1/validation.go | 40 +- .../kyverno/v2beta1/validation.go | 50 +- pkg/controllers/metrics/policy/metrics.go | 2 +- pkg/engine/api/engineresponse.go | 4 +- pkg/engine/api/engineresponse_test.go | 276 +++++ pkg/metrics/parsers.go | 2 +- pkg/policycache/cache.go | 4 +- pkg/policycache/store.go | 4 +- pkg/validatingadmissionpolicy/builder.go | 2 +- .../kyvernopolicy_checker.go | 5 +- .../kyvernopolicy_checker_test.go | 104 ++ pkg/validation/policy/validate.go | 8 +- .../resource/validation/validation.go | 2 +- pkg/webhooks/resource/validation_test.go | 1022 +++++++++++++++++ pkg/webhooks/utils/block_test.go | 116 ++ 32 files changed, 4676 insertions(+), 269 deletions(-) diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index dc51fac338..cee5da6d71 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -419,6 +419,19 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) { // Validation defines checks to be performed on matching resources. type Validation struct { + // ValidationFailureAction defines if a validation policy rule violation should block + // the admission review request (enforce), or allow (audit) the admission review request + // and report an error in a policy report. Optional. + // Allowed values are audit or enforce. + // +optional + // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce + ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + + // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + // +optional + ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` + // Message specifies a custom message to be displayed on failure. // +optional Message string `json:"message,omitempty" yaml:"message,omitempty"` diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index e665933912..f34a848f01 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -63,18 +63,12 @@ type Spec struct { // Deprecated, use failurePolicy under the webhookConfiguration instead. FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` - // ValidationFailureAction defines if a validation policy rule violation should block - // the admission review request (enforce), or allow (audit) the admission review request - // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. The default value is "Audit". - // +optional + // Deprecated, use validationFailureAction under the validate rule instead. // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce // +kubebuilder:default=Audit ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` - // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - // +optional + // Deprecated, use validationFailureActionOverrides under the validate rule instead. ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` // Admission controls if rules are applied during admission. @@ -234,6 +228,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } +// GetValidationFailureAction returns the value of the validationFailureAction +func (s *Spec) GetValidationFailureAction() ValidationFailureAction { + for _, rule := range s.Rules { + if rule.HasValidate() { + validationFailureAction := rule.Validation.ValidationFailureAction + if validationFailureAction != nil { + return *validationFailureAction + } + } + } + return s.ValidationFailureAction +} + +// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides +func (s *Spec) GetValidationFailureActionOverrides() []ValidationFailureActionOverride { + for _, rule := range s.Rules { + if rule.HasValidate() { + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + if len(validationFailureActionOverrides) != 0 { + return validationFailureActionOverrides + } + } + } + return s.ValidationFailureActionOverrides +} + // GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { for _, rule := range s.Rules { diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index dc9358f5cd..571a9df491 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1585,6 +1585,18 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Validation) DeepCopyInto(out *Validation) { *out = *in + if in.ValidationFailureAction != nil { + in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + *out = new(ValidationFailureAction) + **out = **in + } + if in.ValidationFailureActionOverrides != nil { + in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides + *out = make([]ValidationFailureActionOverride, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.Manifests != nil { in, out := &in.Manifests, &out.Manifests *out = new(Manifests) diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go index 4dc822afd8..ca106b022e 100644 --- a/api/kyverno/v2beta1/common_types.go +++ b/api/kyverno/v2beta1/common_types.go @@ -8,6 +8,19 @@ import ( // Validation defines checks to be performed on matching resources. type Validation struct { + // ValidationFailureAction defines if a validation policy rule violation should block + // the admission review request (enforce), or allow (audit) the admission review request + // and report an error in a policy report. Optional. + // Allowed values are audit or enforce. + // +optional + // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce + ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + + // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + // +optional + ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` + // Message specifies a custom message to be displayed on failure. // +optional Message string `json:"message,omitempty" yaml:"message,omitempty"` diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index d6e7a4eb6b..2d1d7f883d 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -26,18 +26,12 @@ type Spec struct { // Deprecated, use failurePolicy under the webhookConfiguration instead. FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` - // ValidationFailureAction defines if a validation policy rule violation should block - // the admission review request (enforce), or allow (audit) the admission review request - // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. The default value is "Audit". - // +optional + // Deprecated, use validationFailureAction under the validate rule instead. // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce // +kubebuilder:default=Audit ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` - // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - // +optional + // Deprecated, use validationFailureActionOverrides under the validate rule instead. ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` // Admission controls if rules are applied during admission. @@ -203,6 +197,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } +// GetValidationFailureAction returns the value of the validationFailureAction +func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction { + for _, rule := range s.Rules { + if rule.HasValidate() { + validationFailureAction := rule.Validation.ValidationFailureAction + if validationFailureAction != nil { + return *validationFailureAction + } + } + } + return s.ValidationFailureAction +} + +// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides +func (s *Spec) GetValidationFailureActionOverrides() []kyvernov1.ValidationFailureActionOverride { + for _, rule := range s.Rules { + if rule.HasValidate() { + validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides + if len(validationFailureActionOverrides) != 0 { + return validationFailureActionOverrides + } + } + } + return s.ValidationFailureActionOverrides +} + // GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { for _, rule := range s.Rules { diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index 485c3f3f3e..7b1eae6591 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -831,6 +831,18 @@ func (in *Spec) DeepCopy() *Spec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Validation) DeepCopyInto(out *Validation) { *out = *in + if in.ValidationFailureAction != nil { + in, out := &in.ValidationFailureAction, &out.ValidationFailureAction + *out = new(v1.ValidationFailureAction) + **out = **in + } + if in.ValidationFailureActionOverrides != nil { + in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides + *out = make([]v1.ValidationFailureActionOverride, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.Manifests != nil { in, out := &in.Manifests, &out.Manifests *out = new(v1.Manifests) diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 46eed8160e..b07411cc11 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -3429,6 +3429,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4212,11 +4295,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -4224,9 +4304,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -7713,6 +7792,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -11797,6 +11959,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -12549,11 +12794,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -12561,9 +12803,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -16050,6 +16291,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 142dac3532..139230e953 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -3430,6 +3430,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4213,11 +4296,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -4225,9 +4305,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -7715,6 +7794,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -11800,6 +11962,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -12552,11 +12797,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -12564,9 +12806,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -16053,6 +16294,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 04a09d1212..a920093a20 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3423,6 +3423,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4206,11 +4289,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -4218,9 +4298,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -7707,6 +7786,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -11791,6 +11953,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -12543,11 +12788,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -12555,9 +12797,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -16044,6 +16285,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index 3135e1e5a7..60c0f9c59f 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3424,6 +3424,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4207,11 +4290,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -4219,9 +4299,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -7709,6 +7788,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -11794,6 +11956,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -12546,11 +12791,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -12558,9 +12800,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -16047,6 +16288,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/cmd/cli/kubectl-kyverno/policy/load_test.go b/cmd/cli/kubectl-kyverno/policy/load_test.go index 87d36183e3..1136980e21 100644 --- a/cmd/cli/kubectl-kyverno/policy/load_test.go +++ b/cmd/cli/kubectl-kyverno/policy/load_test.go @@ -110,7 +110,7 @@ func TestLoadWithKubectlValidate(t *testing.T) { assert.NotNil(t, policy) spec := policy.GetSpec() assert.NotNil(t, spec) - assert.True(t, spec.ValidationFailureAction.Audit()) + assert.True(t, spec.GetValidationFailureAction().Audit()) assert.NotNil(t, spec.Background) assert.True(t, *spec.Background) assert.NotNil(t, spec.Admission) diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 04a09d1212..a920093a20 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -3423,6 +3423,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4206,11 +4289,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -4218,9 +4298,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -7707,6 +7786,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -11791,6 +11953,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -12543,11 +12788,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -12555,9 +12797,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -16044,6 +16285,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index 3135e1e5a7..60c0f9c59f 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -3424,6 +3424,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -4207,11 +4290,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -4219,9 +4299,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -7709,6 +7788,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -11794,6 +11956,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -12546,11 +12791,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -12558,9 +12800,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -16047,6 +16288,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 52f7c7b82d..07683002ed 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -8630,6 +8630,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -9413,11 +9496,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -9425,9 +9505,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -12914,6 +12993,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -16998,6 +17160,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -17750,11 +17995,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -17762,9 +18004,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -21251,6 +21492,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -25845,6 +26169,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -26628,11 +27035,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -26640,9 +27044,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -30130,6 +30533,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -34215,6 +34701,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy + validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures @@ -34967,11 +35536,8 @@ spec: type: boolean validationFailureAction: default: Audit - description: |- - ValidationFailureAction defines if a validation policy rule violation should block - the admission review request (enforce), or allow (audit) the admission review request - and report an error in a policy report. Optional. - Allowed values are audit or enforce. The default value is "Audit". + description: Deprecated, use validationFailureAction under the validate + rule instead. enum: - audit - enforce @@ -34979,9 +35545,8 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: |- - ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction - namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + description: Deprecated, use validationFailureActionOverrides under + the validate rule instead. items: properties: action: @@ -38468,6 +39033,89 @@ spec: - latest type: string type: object + validationFailureAction: + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the + policy validation failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array type: object verifyImages: description: VerifyImages is used to verify image signatures diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index a5f3f3f37e..9d3583e321 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -160,11 +160,7 @@ ValidationFailureAction -(Optional) -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -177,9 +173,7 @@ Allowed values are audit or enforce. The default value is “Audit”. -(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -428,11 +422,7 @@ ValidationFailureAction -(Optional) -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -445,9 +435,7 @@ Allowed values are audit or enforce. The default value is “Audit”. -(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -3951,11 +3939,7 @@ ValidationFailureAction -(Optional) -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -3968,9 +3952,7 @@ Allowed values are audit or enforce. The default value is “Audit”. -(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -4377,6 +4359,38 @@ It is an empty string when validating admission policy is successfully generated +validationFailureAction
+ + +ValidationFailureAction + + + + +(Optional) +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.

+ + + + +validationFailureActionOverrides
+ + +[]ValidationFailureActionOverride + + + + +(Optional) +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + message
string @@ -4495,8 +4509,10 @@ CEL

(Appears on: Spec, +Validation, ValidationFailureActionOverride, -Spec) +Spec, +Validation)

ValidationFailureAction defines the policy validation failure action

@@ -4506,7 +4522,9 @@ CEL

(Appears on: Spec, -Spec) +Validation, +Spec, +Validation)

@@ -7375,11 +7393,7 @@ ValidationFailureAction
-(Optional) -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -7392,9 +7406,7 @@ Allowed values are audit or enforce. The default value is “Audit”. -(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -7642,11 +7654,7 @@ ValidationFailureAction -(Optional) -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -7659,9 +7667,7 @@ Allowed values are audit or enforce. The default value is “Audit”. -(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -9029,11 +9035,7 @@ ValidationFailureAction -(Optional) -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “Audit”.

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -9046,9 +9048,7 @@ Allowed values are audit or enforce. The default value is “Audit”. -(Optional) -

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -9185,6 +9185,38 @@ WebhookConfiguration +validationFailureAction
+ + +ValidationFailureAction + + + + +(Optional) +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.

+ + + + +validationFailureActionOverrides
+ + +[]ValidationFailureActionOverride + + + + +(Optional) +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + message
string diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index 6318348714..0b7d70cb9d 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -235,6 +235,8 @@ set to All all rules in the policy are processed. The default is validationFailureAction + * +
@@ -249,10 +251,7 @@ set to All all rules in the policy are processed. The default is -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -267,6 +266,8 @@ Allowed values are audit or enforce. The default value is "Audit".

validationFailureActionOverrides + * +
@@ -281,8 +282,7 @@ Allowed values are audit or enforce. The default value is "Audit".

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -792,6 +792,8 @@ set to All all rules in the policy are processed. The default is validationFailureAction + * +
@@ -806,10 +808,7 @@ set to All all rules in the policy are processed. The default is -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -824,6 +823,8 @@ Allowed values are audit or enforce. The default value is "Audit".

validationFailureActionOverrides + * +
@@ -838,8 +839,7 @@ Allowed values are audit or enforce. The default value is "Audit".

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -7827,6 +7827,8 @@ set to All all rules in the policy are processed. The default is validationFailureAction + * +
@@ -7841,10 +7843,7 @@ set to All all rules in the policy are processed. The default is -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -7859,6 +7858,8 @@ Allowed values are audit or enforce. The default value is "Audit".

validationFailureActionOverrides + * +
@@ -7873,8 +7874,7 @@ Allowed values are audit or enforce. The default value is "Audit".

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -8740,6 +8740,68 @@ It is an empty string when validating admission policy is successfully generated + + validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + + + + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.

+ + + + + + + + + + + + + validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + + + + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + + + + + + + message @@ -8979,6 +9041,7 @@ by specifying exclusions for Pod Security Standards controls.

(Appears in: Spec, + Validation, ValidationFailureActionOverride)

@@ -8994,7 +9057,8 @@ by specifying exclusions for Pod Security Standards controls.

(Appears in: - Spec) + Spec, + Validation)

diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html index 3b3b3efb82..495749aab6 100644 --- a/docs/user/crd/kyverno.v2beta1.html +++ b/docs/user/crd/kyverno.v2beta1.html @@ -835,6 +835,8 @@ set to All all rules in the policy are processed. The default is validationFailureAction + * +
@@ -849,10 +851,7 @@ set to All all rules in the policy are processed. The default is -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -867,6 +866,8 @@ Allowed values are audit or enforce. The default value is "Audit".

validationFailureActionOverrides + * +
@@ -881,8 +882,7 @@ Allowed values are audit or enforce. The default value is "Audit".

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -1394,6 +1394,8 @@ set to All all rules in the policy are processed. The default is validationFailureAction + * +
@@ -1408,10 +1410,7 @@ set to All all rules in the policy are processed. The default is -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -1426,6 +1425,8 @@ Allowed values are audit or enforce. The default value is "Audit".

validationFailureActionOverrides + * +
@@ -1440,8 +1441,7 @@ Allowed values are audit or enforce. The default value is "Audit".

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -4165,6 +4165,8 @@ set to All all rules in the policy are processed. The default is validationFailureAction + * +
@@ -4179,10 +4181,7 @@ set to All all rules in the policy are processed. The default is -

ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is "Audit".

+

Deprecated, use validationFailureAction under the validate rule instead.

@@ -4197,6 +4196,8 @@ Allowed values are audit or enforce. The default value is "Audit".

validationFailureActionOverrides + * +
@@ -4211,8 +4212,7 @@ Allowed values are audit or enforce. The default value is "Audit".

-

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+

Deprecated, use validationFailureActionOverrides under the validate rule instead.

@@ -4516,6 +4516,68 @@ Defaults to "false" if not specified.

+ + validationFailureAction + +
+ + + + + + ValidationFailureAction + + + + + + + +

ValidationFailureAction defines if a validation policy rule violation should block +the admission review request (enforce), or allow (audit) the admission review request +and report an error in a policy report. Optional. +Allowed values are audit or enforce.

+ + + + + + + + + + + + + validationFailureActionOverrides + +
+ + + + + + []ValidationFailureActionOverride + + + + + + + +

ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction +namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

+ + + + + + + + + + + message diff --git a/pkg/client/applyconfigurations/kyverno/v1/validation.go b/pkg/client/applyconfigurations/kyverno/v1/validation.go index 4f291f5d60..e7e1ac9c27 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/validation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/validation.go @@ -19,20 +19,23 @@ limitations under the License. package v1 import ( + v1 "github.com/kyverno/kyverno/api/kyverno/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // with apply. type ValidationApplyConfiguration struct { - Message *string `json:"message,omitempty"` - Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` - ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` - RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` - RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` - Deny *DenyApplyConfiguration `json:"deny,omitempty"` - PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` - CEL *CELApplyConfiguration `json:"cel,omitempty"` + ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` + ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"` + Message *string `json:"message,omitempty"` + Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` + ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` + RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` + RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` + Deny *DenyApplyConfiguration `json:"deny,omitempty"` + PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` + CEL *CELApplyConfiguration `json:"cel,omitempty"` } // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with @@ -41,6 +44,27 @@ func Validation() *ValidationApplyConfiguration { return &ValidationApplyConfiguration{} } +// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ValidationFailureAction field is set to the value of the last call. +func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { + b.ValidationFailureAction = &value + return b +} + +// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field. +func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithValidationFailureActionOverrides") + } + b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i]) + } + return b +} + // WithMessage sets the Message field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Message field is set to the value of the last call. diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go b/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go index 08bda8813c..bac8683ee2 100644 --- a/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go +++ b/pkg/client/applyconfigurations/kyverno/v2beta1/validation.go @@ -19,21 +19,24 @@ limitations under the License. package v2beta1 import ( - v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" + kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // with apply. type ValidationApplyConfiguration struct { - Message *string `json:"message,omitempty"` - Manifests *v1.ManifestsApplyConfiguration `json:"manifests,omitempty"` - ForEachValidation []v1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"` - RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` - RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` - Deny *DenyApplyConfiguration `json:"deny,omitempty"` - PodSecurity *v1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` - CEL *v1.CELApplyConfiguration `json:"cel,omitempty"` + ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"` + ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"` + Message *string `json:"message,omitempty"` + Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"` + ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"` + RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` + RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` + Deny *DenyApplyConfiguration `json:"deny,omitempty"` + PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` + CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"` } // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with @@ -42,6 +45,27 @@ func Validation() *ValidationApplyConfiguration { return &ValidationApplyConfiguration{} } +// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ValidationFailureAction field is set to the value of the last call. +func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration { + b.ValidationFailureAction = &value + return b +} + +// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field. +func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithValidationFailureActionOverrides") + } + b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i]) + } + return b +} + // WithMessage sets the Message field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Message field is set to the value of the last call. @@ -53,7 +77,7 @@ func (b *ValidationApplyConfiguration) WithMessage(value string) *ValidationAppl // WithManifests sets the Manifests field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Manifests field is set to the value of the last call. -func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyConfiguration) *ValidationApplyConfiguration { +func (b *ValidationApplyConfiguration) WithManifests(value *kyvernov1.ManifestsApplyConfiguration) *ValidationApplyConfiguration { b.Manifests = value return b } @@ -61,7 +85,7 @@ func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyCon // WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the ForEachValidation field. -func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*v1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration { +func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*kyvernov1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration { for i := range values { if values[i] == nil { panic("nil value passed to WithForEachValidation") @@ -98,7 +122,7 @@ func (b *ValidationApplyConfiguration) WithDeny(value *DenyApplyConfiguration) * // WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the PodSecurity field is set to the value of the last call. -func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration { +func (b *ValidationApplyConfiguration) WithPodSecurity(value *kyvernov1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration { b.PodSecurity = value return b } @@ -106,7 +130,7 @@ func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityAppl // WithCEL sets the CEL field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the CEL field is set to the value of the last call. -func (b *ValidationApplyConfiguration) WithCEL(value *v1.CELApplyConfiguration) *ValidationApplyConfiguration { +func (b *ValidationApplyConfiguration) WithCEL(value *kyvernov1.CELApplyConfiguration) *ValidationApplyConfiguration { b.CEL = value return b } diff --git a/pkg/controllers/metrics/policy/metrics.go b/pkg/controllers/metrics/policy/metrics.go index 10e6db8683..38e0b89c7c 100644 --- a/pkg/controllers/metrics/policy/metrics.go +++ b/pkg/controllers/metrics/policy/metrics.go @@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName()) } // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() { + if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() { err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated) if err != nil { logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName()) diff --git a/pkg/engine/api/engineresponse.go b/pkg/engine/api/engineresponse.go index 9aabca04c7..7788c3709e 100644 --- a/pkg/engine/api/engineresponse.go +++ b/pkg/engine/api/engineresponse.go @@ -199,7 +199,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur return "" } spec := pol.AsKyvernoPolicy().GetSpec() - for _, v := range spec.ValidationFailureActionOverrides { + for _, v := range spec.GetValidationFailureActionOverrides() { if !v.Action.IsValid() { continue } @@ -221,5 +221,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur } } } - return spec.ValidationFailureAction + return spec.GetValidationFailureAction() } diff --git a/pkg/engine/api/engineresponse_test.go b/pkg/engine/api/engineresponse_test.go index b6d0fbf9e3..83da05ef4f 100644 --- a/pkg/engine/api/engineresponse_test.go +++ b/pkg/engine/api/engineresponse_test.go @@ -680,6 +680,8 @@ func TestEngineResponse_GetSuccessRules(t *testing.T) { func TestEngineResponse_GetValidationFailureAction(t *testing.T) { resource := unstructured.Unstructured{} resource.SetNamespace("foo") + audit := kyvernov1.Audit + enforce := kyvernov1.Enforce type fields struct { PatchedResource unstructured.Unstructured GenericPolicy GenericPolicy @@ -708,6 +710,36 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { }), }, want: kyvernov1.Enforce, + }, { + fields: fields{ + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &audit, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Audit, + }, { + fields: fields{ + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Enforce, }, { fields: fields{ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ @@ -734,6 +766,44 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { }), }, want: kyvernov1.Enforce, + }, { + fields: fields{ + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"*"}, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Audit, + }, { + fields: fields{ + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: "invalid", + Namespaces: []string{"*"}, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Enforce, }, { fields: fields{ PatchedResource: resource, @@ -892,6 +962,212 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) { }), }, want: kyvernov1.Audit, + }, { + fields: fields{ + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"foo"}, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Audit, + }, { + fields: fields{ + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"bar"}, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Enforce, + }, { + fields: fields{ + namespaceLabels: map[string]string{ + "foo": "bar", + }, + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "bar": "foo", + }, + }, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Enforce, + }, { + fields: fields{ + namespaceLabels: map[string]string{ + "foo": "bar", + }, + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo": "bar", + }, + }, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Audit, + }, { + fields: fields{ + namespaceLabels: map[string]string{ + "foo": "bar", + }, + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"foo"}, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "bar": "foo", + }, + }, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Enforce, + }, { + fields: fields{ + namespaceLabels: map[string]string{ + "foo": "bar", + }, + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"bar"}, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo": "bar", + }, + }, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Enforce, + }, { + fields: fields{ + namespaceLabels: map[string]string{ + "foo": "bar", + }, + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"foo"}, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo": "bar", + }, + }, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Audit, + }, { + fields: fields{ + namespaceLabels: map[string]string{ + "foo": "bar", + }, + PatchedResource: resource, + GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{ + Action: kyvernov1.Audit, + Namespaces: []string{"*"}, + NamespaceSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{ + "foo": "bar", + }, + }, + }}, + }, + }, + }, + }, + }), + }, + want: kyvernov1.Audit, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go index 09d092ce21..ef65e31ac8 100644 --- a/pkg/metrics/parsers.go +++ b/pkg/metrics/parsers.go @@ -77,6 +77,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp policyType = Namespaced } backgroundMode := ParsePolicyBackgroundMode(policy) - validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction) + validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction()) return name, namespace, policyType, backgroundMode, validationMode, err } diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index a000c0772f..2f2aab1c2b 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -78,8 +78,8 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace } func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool { - validationFailureAction := policy.GetSpec().ValidationFailureAction - validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides + validationFailureAction := policy.GetSpec().GetValidationFailureAction() + validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides() if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) { return false } diff --git a/pkg/policycache/store.go b/pkg/policycache/store.go index 94afba7f1e..9f67f4c14b 100644 --- a/pkg/policycache/store.go +++ b/pkg/policycache/store.go @@ -80,10 +80,10 @@ func newPolicyMap() *policyMap { } func computeEnforcePolicy(spec *kyvernov1.Spec) bool { - if spec.ValidationFailureAction.Enforce() { + if spec.GetValidationFailureAction().Enforce() { return true } - for _, k := range spec.ValidationFailureActionOverrides { + for _, k := range spec.GetValidationFailureActionOverrides() { if k.Action.Enforce() { return true } diff --git a/pkg/validatingadmissionpolicy/builder.go b/pkg/validatingadmissionpolicy/builder.go index bbc5e92ed0..9a16196809 100644 --- a/pkg/validatingadmissionpolicy/builder.go +++ b/pkg/validatingadmissionpolicy/builder.go @@ -77,7 +77,7 @@ func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1al // set validation action for vap binding var validationActions []admissionregistrationv1alpha1.ValidationAction - action := cpol.GetSpec().ValidationFailureAction + action := cpol.GetSpec().GetValidationFailureAction() if action.Enforce() { validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) } else if action.Audit() { diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go index 710f1303d9..4d482c34ce 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go @@ -19,12 +19,13 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) { return false, msg } - if len(spec.ValidationFailureActionOverrides) > 1 { + validationFailureActionOverrides := spec.GetValidationFailureActionOverrides() + if len(validationFailureActionOverrides) > 1 { msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable." return false, msg } - if len(spec.ValidationFailureActionOverrides) != 0 && len(spec.ValidationFailureActionOverrides[0].Namespaces) != 0 { + if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 { msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable." return false, msg } diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go index 957994639f..6b1c63c7c5 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go @@ -391,6 +391,110 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) { ] } } +`), + expected: false, + }, + { + name: "policy-with-multiple-validationFailureActionOverrides-in-validate-rule", + policy: []byte(` +{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "disallow-host-path" + }, + "spec": { + "rules": [ + { + "name": "host-path", + "match": { + "any": [ + { + "resources": { + "kinds": [ + "Pod" + ] + } + } + ] + }, + "validate": { + "validationFailureAction": "Enforce", + "validationFailureActionOverrides": [ + { + "action": "Enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "Audit", + "namespaces": [ + "test" + ] + } + ], + "cel": { + "expressions": [ + { + "expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + } + ] + } + } + } + ] + } +} +`), + expected: false, + }, + { + name: "policy-with-namespace-in-validationFailureActionOverrides-in-validate-rule", + policy: []byte(` +{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "disallow-host-path" + }, + "spec": { + "rules": [ + { + "name": "host-path", + "match": { + "any": [ + { + "resources": { + "kinds": [ + "Pod" + ] + } + } + ] + }, + "validate": { + "validationFailureAction": "Enforce", + "validationFailureActionOverrides": [ + { + "action": "Enforce", + "namespaces": [ + "test-ns" + ] + } + ], + "cel": { + "expressions": [ + { + "expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))" + } + ] + } + } + } + ] + } +} `), expected: false, }, diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index e7fba25a6a..6a550913cc 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -116,10 +116,10 @@ func validateJSONPatch(patch string, ruleIdx int) error { func checkValidationFailureAction(spec *kyvernov1.Spec) []string { msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead." - if spec.ValidationFailureAction == "enforce" || spec.ValidationFailureAction == "audit" { + if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" { return []string{msg} } - for _, override := range spec.ValidationFailureActionOverrides { + for _, override := range spec.GetValidationFailureActionOverrides() { if override.Action == "enforce" || override.Action == "audit" { return []string{msg} } @@ -326,7 +326,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf if rule.HasVerifyImages() { isAuditFailureAction := false - if spec.ValidationFailureAction == kyvernov1.Audit { + if spec.GetValidationFailureAction() == kyvernov1.Audit { isAuditFailureAction = true } @@ -1555,7 +1555,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error { "auditW": sets.New[string](), } - for i, vfa := range s.ValidationFailureActionOverrides { + for i, vfa := range s.GetValidationFailureActionOverrides() { if !vfa.Action.IsValid() { return fmt.Errorf("invalid action") } diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index b98658aa6a..441b24418d 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -117,7 +117,7 @@ func (v *validationHandler) HandleValidationEnforce( engineResponses = append(engineResponses, engineResponse) if !engineResponse.IsSuccessful() { - logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) + logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) return } diff --git a/pkg/webhooks/resource/validation_test.go b/pkg/webhooks/resource/validation_test.go index 47f1e43d14..8752d9e667 100644 --- a/pkg/webhooks/resource/validation_test.go +++ b/pkg/webhooks/resource/validation_test.go @@ -1051,6 +1051,1028 @@ func TestValidate_failure_action_overrides(t *testing.T) { "kubernetes.io/metadata.name": "dev", }, }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "audit", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "default" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "audit", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "labels": { + "app": "my-app" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: false, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "audit", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: false, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "default" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "labels": { + "app": "my-app" + } + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: false, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "test" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: false, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "default" + ] + }, + { + "action": "audit", + "namespaces": [ + "test" + ] + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + messages: map[string]string{ + "check-label-app": "validation error: The label 'app' is required. rule check-label-app failed at path /metadata/labels/", + }, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "audit", + "namespaces": [ + "dev" + ], + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "prod" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "default" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + messages: map[string]string{ + "check-label-app": "validation error: The label 'app' is required. rule check-label-app failed at path /metadata/labels/", + }, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "audit", + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "prod" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "prod" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: false, + rawResourceNamespaceLabels: map[string]string{ + "kubernetes.io/metadata.name": "prod", + }, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "audit", + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "prod" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "default" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + messages: map[string]string{ + "check-label-app": "validation error: The label 'app' is required. rule check-label-app failed at path /metadata/labels/", + }, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "audit", + "namespaces": [ + "dev" + ], + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "prod" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "dev" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + rawResourceNamespaceLabels: map[string]string{ + "kubernetes.io/metadata.name": "dev", + }, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "enforce", + "validationFailureActionOverrides": + [ + { + "action": "audit", + "namespaces": [ + "dev" + ], + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "prod" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "prod" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + rawResourceNamespaceLabels: map[string]string{ + "kubernetes.io/metadata.name": "prod", + }, + }, + { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "audit", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "dev" + ], + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "prod" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "dev" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: false, + rawResourceNamespaceLabels: map[string]string{ + "kubernetes.io/metadata.name": "dev", + }, + }, { + rawPolicy: []byte(` + { + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "validationFailureAction": "audit", + "validationFailureActionOverrides": + [ + { + "action": "enforce", + "namespaces": [ + "dev" + ], + "namespaceSelector": { + "matchExpressions": [{ + "key" : "kubernetes.io/metadata.name", + "operator": "In", + "values": [ + "dev" + ] + }] + } + } + ], + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + `), + rawResource: []byte(` + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "test-pod", + "namespace": "dev" + }, + "spec": { + "containers": [ + { + "name": "nginx", + "image": "nginx:latest" + } + ] + } + } + `), + blocked: true, + rawResourceNamespaceLabels: map[string]string{ + "kubernetes.io/metadata.name": "dev", + }, + }, } cfg := config.NewDefaultConfiguration(false) jp := jmespath.New(cfg) diff --git a/pkg/webhooks/utils/block_test.go b/pkg/webhooks/utils/block_test.go index 495ef2961d..2375344e7d 100644 --- a/pkg/webhooks/utils/block_test.go +++ b/pkg/webhooks/utils/block_test.go @@ -62,6 +62,38 @@ func TestBlockRequest(t *testing.T) { ValidationFailureAction: kyvernov1.Enforce, }, }) + audit := kyvernov1.Audit + auditRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + ObjectMeta: v1.ObjectMeta{ + Name: "test", + }, + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Name: "rule-audit", + Validation: kyvernov1.Validation{ + ValidationFailureAction: &audit, + }, + }, + }, + }, + }) + enforce := kyvernov1.Enforce + enforceRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ + ObjectMeta: v1.ObjectMeta{ + Name: "test", + }, + Spec: kyvernov1.Spec{ + Rules: []kyvernov1.Rule{ + { + Name: "rule-enforce", + Validation: kyvernov1.Validation{ + ValidationFailureAction: &enforce, + }, + }, + }, + }, + }) resource := unstructured.Unstructured{ Object: map[string]interface{}{ "kind": "foo", @@ -164,6 +196,90 @@ func TestBlockRequest(t *testing.T) { log: logr.Discard(), }, want: false, + }, { + name: "failure - enforce", + args: args{ + engineResponses: []engineapi.EngineResponse{ + engineapi.NewEngineResponse(resource, enforceRule, nil).WithPolicyResponse(engineapi.PolicyResponse{ + Rules: []engineapi.RuleResponse{ + *engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"), + }, + }), + }, + failurePolicy: kyvernov1.Fail, + log: logr.Discard(), + }, + want: true, + }, { + name: "failure - audit", + args: args{ + engineResponses: []engineapi.EngineResponse{ + engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{ + Rules: []engineapi.RuleResponse{ + *engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"), + }, + }), + }, + failurePolicy: kyvernov1.Fail, + log: logr.Discard(), + }, + want: false, + }, { + name: "error - fail", + args: args{ + engineResponses: []engineapi.EngineResponse{ + engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{ + Rules: []engineapi.RuleResponse{ + *engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil), + }, + }), + }, + failurePolicy: kyvernov1.Fail, + log: logr.Discard(), + }, + want: true, + }, { + name: "error - ignore", + args: args{ + engineResponses: []engineapi.EngineResponse{ + engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{ + Rules: []engineapi.RuleResponse{ + *engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil), + }, + }), + }, + failurePolicy: kyvernov1.Ignore, + log: logr.Discard(), + }, + want: false, + }, { + name: "warning - ignore", + args: args{ + engineResponses: []engineapi.EngineResponse{ + engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{ + Rules: []engineapi.RuleResponse{ + *engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn), + }, + }), + }, + failurePolicy: kyvernov1.Ignore, + log: logr.Discard(), + }, + want: false, + }, { + name: "warning - fail", + args: args{ + engineResponses: []engineapi.EngineResponse{ + engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{ + Rules: []engineapi.RuleResponse{ + *engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn), + }, + }), + }, + failurePolicy: kyvernov1.Fail, + log: logr.Discard(), + }, + want: false, }} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {