mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00
Code Activity

feat: migrate validationFailureAction and validationFailureActionOverrides (#10528)

Browse source 
* feat: migrate validationFailureAction and validationFailureActionOverrides under validate rule

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* feat: add unit tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-06-26 15:13:02 +08:00 committed by GitHub
parent 88ae60ea9d
commit ff88c4c39a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
32 changed files with 4676 additions and 269 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
api/kyverno/v1/common_types.go
View file

@ -419,6 +419,19 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) {
// Validation defines checks to be performed on matching resources. // Validation defines checks to be performed on matching resources.
type Validation struct { type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce.
// +optional
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
// +optional
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure. // Message specifies a custom message to be displayed on failure.
// +optional // +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"` Message string `json:"message,omitempty" yaml:"message,omitempty"`

36
api/kyverno/v1/spec_types.go
View file

@ -63,18 +63,12 @@ type Spec struct {
// Deprecated, use failurePolicy under the webhookConfiguration instead. // Deprecated, use failurePolicy under the webhookConfiguration instead.
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
// ValidationFailureAction defines if a validation policy rule violation should block // Deprecated, use validationFailureAction under the validate rule instead.
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce. The default value is "Audit".
// +optional
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
// +kubebuilder:default=Audit // +kubebuilder:default=Audit
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction // Deprecated, use validationFailureActionOverrides under the validate rule instead.
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
// +optional
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
// Admission controls if rules are applied during admission. // Admission controls if rules are applied during admission.
@ -234,6 +228,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
return *s.Background return *s.Background
} }
// GetValidationFailureAction returns the value of the validationFailureAction
func (s *Spec) GetValidationFailureAction() ValidationFailureAction {
for _, rule := range s.Rules {
if rule.HasValidate() {
validationFailureAction := rule.Validation.ValidationFailureAction
if validationFailureAction != nil {
return *validationFailureAction
}
}
}
return s.ValidationFailureAction
}
// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides
func (s *Spec) GetValidationFailureActionOverrides() []ValidationFailureActionOverride {
for _, rule := range s.Rules {
if rule.HasValidate() {
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
if len(validationFailureActionOverrides) != 0 {
return validationFailureActionOverrides
}
}
}
return s.ValidationFailureActionOverrides
}
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value // GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
for _, rule := range s.Rules { for _, rule := range s.Rules {

12
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -1585,6 +1585,18 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Validation) DeepCopyInto(out *Validation) { func (in *Validation) DeepCopyInto(out *Validation) {
*out = *in *out = *in
if in.ValidationFailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
*out = new(ValidationFailureAction)
**out = **in
}
if in.ValidationFailureActionOverrides != nil {
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
*out = make([]ValidationFailureActionOverride, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Manifests != nil { if in.Manifests != nil {
in, out := &in.Manifests, &out.Manifests in, out := &in.Manifests, &out.Manifests
*out = new(Manifests) *out = new(Manifests)

13
api/kyverno/v2beta1/common_types.go
View file

@ -8,6 +8,19 @@ import (
// Validation defines checks to be performed on matching resources. // Validation defines checks to be performed on matching resources.
type Validation struct { type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce.
// +optional
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
// +optional
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
// Message specifies a custom message to be displayed on failure. // Message specifies a custom message to be displayed on failure.
// +optional // +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"` Message string `json:"message,omitempty" yaml:"message,omitempty"`

36
api/kyverno/v2beta1/spec_types.go
View file

@ -26,18 +26,12 @@ type Spec struct {
// Deprecated, use failurePolicy under the webhookConfiguration instead. // Deprecated, use failurePolicy under the webhookConfiguration instead.
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
// ValidationFailureAction defines if a validation policy rule violation should block // Deprecated, use validationFailureAction under the validate rule instead.
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce. The default value is "Audit".
// +optional
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
// +kubebuilder:default=Audit // +kubebuilder:default=Audit
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction // Deprecated, use validationFailureActionOverrides under the validate rule instead.
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
// +optional
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"` ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
// Admission controls if rules are applied during admission. // Admission controls if rules are applied during admission.
@ -203,6 +197,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
return *s.Background return *s.Background
} }
// GetValidationFailureAction returns the value of the validationFailureAction
func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
for _, rule := range s.Rules {
if rule.HasValidate() {
validationFailureAction := rule.Validation.ValidationFailureAction
if validationFailureAction != nil {
return *validationFailureAction
}
}
}
return s.ValidationFailureAction
}
// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides
func (s *Spec) GetValidationFailureActionOverrides() []kyvernov1.ValidationFailureActionOverride {
for _, rule := range s.Rules {
if rule.HasValidate() {
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
if len(validationFailureActionOverrides) != 0 {
return validationFailureActionOverrides
}
}
}
return s.ValidationFailureActionOverrides
}
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value // GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool { func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
for _, rule := range s.Rules { for _, rule := range s.Rules {

12
api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

@ -831,6 +831,18 @@ func (in *Spec) DeepCopy() *Spec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Validation) DeepCopyInto(out *Validation) { func (in *Validation) DeepCopyInto(out *Validation) {
*out = *in *out = *in
if in.ValidationFailureAction != nil {
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
*out = new(v1.ValidationFailureAction)
**out = **in
}
if in.ValidationFailureActionOverrides != nil {
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
*out = make([]v1.ValidationFailureActionOverride, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Manifests != nil { if in.Manifests != nil {
in, out := &in.Manifests, &out.Manifests in, out := &in.Manifests, &out.Manifests
*out = new(v1.Manifests) *out = new(v1.Manifests)

356
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -3429,6 +3429,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4212,11 +4295,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -4224,9 +4304,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -7713,6 +7792,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -11797,6 +11959,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -12549,11 +12794,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -12561,9 +12803,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -16050,6 +16291,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

356
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -3430,6 +3430,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4213,11 +4296,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -4225,9 +4305,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -7715,6 +7794,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -11800,6 +11962,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -12552,11 +12797,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -12564,9 +12806,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -16053,6 +16294,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

356
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3423,6 +3423,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4206,11 +4289,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -4218,9 +4298,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -7707,6 +7786,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -11791,6 +11953,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -12543,11 +12788,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -12555,9 +12797,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -16044,6 +16285,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

356
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -3424,6 +3424,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4207,11 +4290,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -4219,9 +4299,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -7709,6 +7788,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -11794,6 +11956,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -12546,11 +12791,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -12558,9 +12800,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -16047,6 +16288,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

2
cmd/cli/kubectl-kyverno/policy/load_test.go
View file

@ -110,7 +110,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
assert.NotNil(t, policy) assert.NotNil(t, policy)
spec := policy.GetSpec() spec := policy.GetSpec()
assert.NotNil(t, spec) assert.NotNil(t, spec)
assert.True(t, spec.ValidationFailureAction.Audit()) assert.True(t, spec.GetValidationFailureAction().Audit())
assert.NotNil(t, spec.Background) assert.NotNil(t, spec.Background)
assert.True(t, *spec.Background) assert.True(t, *spec.Background)
assert.NotNil(t, spec.Admission) assert.NotNil(t, spec.Admission)

356
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -3423,6 +3423,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4206,11 +4289,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -4218,9 +4298,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -7707,6 +7786,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -11791,6 +11953,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -12543,11 +12788,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -12555,9 +12797,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -16044,6 +16285,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

356
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -3424,6 +3424,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -4207,11 +4290,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -4219,9 +4299,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -7709,6 +7788,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -11794,6 +11956,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -12546,11 +12791,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -12558,9 +12800,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -16047,6 +16288,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

712
config/install-latest-testing.yaml
View file

@ -8630,6 +8630,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -9413,11 +9496,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -9425,9 +9505,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -12914,6 +12993,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -16998,6 +17160,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -17750,11 +17995,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -17762,9 +18004,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -21251,6 +21492,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -25845,6 +26169,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -26628,11 +27035,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -26640,9 +27044,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -30130,6 +30533,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -34215,6 +34701,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the policy
validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures
@ -34967,11 +35536,8 @@ spec:
type: boolean type: boolean
validationFailureAction: validationFailureAction:
default: Audit default: Audit
description: |- description: Deprecated, use validationFailureAction under the validate
ValidationFailureAction defines if a validation policy rule violation should block rule instead.
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is "Audit".
enum: enum:
- audit - audit
- enforce - enforce
@ -34979,9 +35545,8 @@ spec:
- Enforce - Enforce
type: string type: string
validationFailureActionOverrides: validationFailureActionOverrides:
description: |- description: Deprecated, use validationFailureActionOverrides under
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction the validate rule instead.
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items: items:
properties: properties:
action: action:
@ -38468,6 +39033,89 @@ spec:
- latest - latest
type: string type: string
type: object type: object
validationFailureAction:
description: |-
ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: |-
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
items:
properties:
action:
description: ValidationFailureAction defines the
policy validation failure action
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of
label selector requirements. The requirements
are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that
the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
type: object type: object
verifyImages: verifyImages:
description: VerifyImages is used to verify image signatures description: VerifyImages is used to verify image signatures

132
docs/user/crd/index.html
View file

@ -160,11 +160,7 @@ ValidationFailureAction
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -177,9 +173,7 @@ Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -428,11 +422,7 @@ ValidationFailureAction
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -445,9 +435,7 @@ Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -3951,11 +3939,7 @@ ValidationFailureAction
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -3968,9 +3952,7 @@ Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -4377,6 +4359,38 @@ It is an empty string when validating admission policy is successfully generated
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>validationFailureAction</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.</p>
</td>
</tr>
<tr>
<td>
<code>validationFailureActionOverrides</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
[]ValidationFailureActionOverride
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td>
</tr>
<tr>
<td>
<code>message</code><br/> <code>message</code><br/>
<em> <em>
string string
@ -4495,8 +4509,10 @@ CEL
<p> <p>
(<em>Appears on:</em> (<em>Appears on:</em>
<a href="#kyverno.io/v1.Spec">Spec</a>, <a href="#kyverno.io/v1.Spec">Spec</a>,
<a href="#kyverno.io/v1.Validation">Validation</a>,
<a href="#kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride</a>, <a href="#kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride</a>,
<a href="#kyverno.io/v2beta1.Spec">Spec</a>) <a href="#kyverno.io/v2beta1.Spec">Spec</a>,
<a href="#kyverno.io/v2beta1.Validation">Validation</a>)
</p> </p>
<p> <p>
<p>ValidationFailureAction defines the policy validation failure action</p> <p>ValidationFailureAction defines the policy validation failure action</p>
@ -4506,7 +4522,9 @@ CEL
<p> <p>
(<em>Appears on:</em> (<em>Appears on:</em>
<a href="#kyverno.io/v1.Spec">Spec</a>, <a href="#kyverno.io/v1.Spec">Spec</a>,
<a href="#kyverno.io/v2beta1.Spec">Spec</a>) <a href="#kyverno.io/v1.Validation">Validation</a>,
<a href="#kyverno.io/v2beta1.Spec">Spec</a>,
<a href="#kyverno.io/v2beta1.Validation">Validation</a>)
</p> </p>
<p> <p>
</p> </p>
@ -7375,11 +7393,7 @@ ValidationFailureAction
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -7392,9 +7406,7 @@ Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -7642,11 +7654,7 @@ ValidationFailureAction
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -7659,9 +7667,7 @@ Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -9029,11 +9035,7 @@ ValidationFailureAction
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -9046,9 +9048,7 @@ Allowed values are audit or enforce. The default value is &ldquo;Audit&rdquo;.</
</em> </em>
</td> </td>
<td> <td>
<em>(Optional)</em> <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -9185,6 +9185,38 @@ WebhookConfiguration
<tbody> <tbody>
<tr> <tr>
<td> <td>
<code>validationFailureAction</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.</p>
</td>
</tr>
<tr>
<td>
<code>validationFailureActionOverrides</code><br/>
<em>
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
[]ValidationFailureActionOverride
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td>
</tr>
<tr>
<td>
<code>message</code><br/> <code>message</code><br/>
<em> <em>
string string

102
docs/user/crd/kyverno.v1.html
View file

@ -235,6 +235,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>validationFailureAction</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -249,10 +251,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
@ -267,6 +266,8 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>validationFailureActionOverrides</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -281,8 +282,7 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
@ -792,6 +792,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>validationFailureAction</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -806,10 +808,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
@ -824,6 +823,8 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>validationFailureActionOverrides</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -838,8 +839,7 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
@ -7827,6 +7827,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>validationFailureAction</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -7841,10 +7843,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
@ -7859,6 +7858,8 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>validationFailureActionOverrides</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -7873,8 +7874,7 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
@ -8740,6 +8740,68 @@ It is an empty string when validating admission policy is successfully generated
<tr>
<td><code>validationFailureAction</code>
</br>
<a href="#kyverno-io-v1-ValidationFailureAction">
<span style="font-family: monospace">ValidationFailureAction</span>
</a>
</td>
<td>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.</p>
</td>
</tr>
<tr>
<td><code>validationFailureActionOverrides</code>
</br>
<a href="#kyverno-io-v1-ValidationFailureActionOverride">
<span style="font-family: monospace">[]ValidationFailureActionOverride</span>
</a>
</td>
<td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td>
</tr>
<tr> <tr>
<td><code>message</code> <td><code>message</code>
@ -8979,6 +9041,7 @@ by specifying exclusions for Pod Security Standards controls.</p>
<p> <p>
(<em>Appears in:</em> (<em>Appears in:</em>
<a href="#kyverno-io-v1-Spec">Spec</a>, <a href="#kyverno-io-v1-Spec">Spec</a>,
<a href="#kyverno-io-v1-Validation">Validation</a>,
<a href="#kyverno-io-v1-ValidationFailureActionOverride">ValidationFailureActionOverride</a>) <a href="#kyverno-io-v1-ValidationFailureActionOverride">ValidationFailureActionOverride</a>)
</p> </p>
@ -8994,7 +9057,8 @@ by specifying exclusions for Pod Security Standards controls.</p>
<p> <p>
(<em>Appears in:</em> (<em>Appears in:</em>
<a href="#kyverno-io-v1-Spec">Spec</a>) <a href="#kyverno-io-v1-Spec">Spec</a>,
<a href="#kyverno-io-v1-Validation">Validation</a>)
</p> </p>

98
docs/user/crd/kyverno.v2beta1.html
View file

@ -835,6 +835,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>validationFailureAction</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -849,10 +851,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
@ -867,6 +866,8 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>validationFailureActionOverrides</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -881,8 +882,7 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
@ -1394,6 +1394,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>validationFailureAction</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -1408,10 +1410,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
@ -1426,6 +1425,8 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>validationFailureActionOverrides</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -1440,8 +1441,7 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
@ -4165,6 +4165,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<tr> <tr>
<td><code>validationFailureAction</code> <td><code>validationFailureAction</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -4179,10 +4181,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
<td> <td>
<p>ValidationFailureAction defines if a validation policy rule violation should block <p>Deprecated, use validationFailureAction under the validate rule instead.</p>
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
@ -4197,6 +4196,8 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<tr> <tr>
<td><code>validationFailureActionOverrides</code> <td><code>validationFailureActionOverrides</code>
<span style="color:blue;"> *</span>
</br> </br>
@ -4211,8 +4212,7 @@ Allowed values are audit or enforce. The default value is &quot;Audit&quot;.</p>
<td> <td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction <p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
@ -4516,6 +4516,68 @@ Defaults to &quot;false&quot; if not specified.</p>
<tr>
<td><code>validationFailureAction</code>
</br>
<a href="#kyverno-io-v1-ValidationFailureAction">
<span style="font-family: monospace">ValidationFailureAction</span>
</a>
</td>
<td>
<p>ValidationFailureAction defines if a validation policy rule violation should block
the admission review request (enforce), or allow (audit) the admission review request
and report an error in a policy report. Optional.
Allowed values are audit or enforce.</p>
</td>
</tr>
<tr>
<td><code>validationFailureActionOverrides</code>
</br>
<a href="#kyverno-io-v1-ValidationFailureActionOverride">
<span style="font-family: monospace">[]ValidationFailureActionOverride</span>
</a>
</td>
<td>
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
</td>
</tr>
<tr> <tr>
<td><code>message</code> <td><code>message</code>

40
pkg/client/applyconfigurations/kyverno/v1/validation.go
View file

@ -19,20 +19,23 @@ limitations under the License.
package v1 package v1
import ( import (
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
) )
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply. // with apply.
type ValidationApplyConfiguration struct { type ValidationApplyConfiguration struct {
Message *string `json:"message,omitempty"` ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` Message *string `json:"message,omitempty"`
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"` RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
CEL *CELApplyConfiguration `json:"cel,omitempty"` Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *CELApplyConfiguration `json:"cel,omitempty"`
} }
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@ -41,6 +44,27 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{} return &ValidationApplyConfiguration{}
} }
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.ValidationFailureAction = &value
return b
}
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithValidationFailureActionOverrides")
}
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
}
return b
}
// WithMessage sets the Message field in the declarative configuration to the given value // WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call. // If called multiple times, the Message field is set to the value of the last call.

50
pkg/client/applyconfigurations/kyverno/v2beta1/validation.go
View file

@ -19,21 +19,24 @@ limitations under the License.
package v2beta1 package v2beta1
import ( import (
v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1" v1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
) )
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
// with apply. // with apply.
type ValidationApplyConfiguration struct { type ValidationApplyConfiguration struct {
Message *string `json:"message,omitempty"` ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
Manifests *v1.ManifestsApplyConfiguration `json:"manifests,omitempty"` ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
ForEachValidation []v1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"` Message *string `json:"message,omitempty"`
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
Deny *DenyApplyConfiguration `json:"deny,omitempty"` RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
PodSecurity *v1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
CEL *v1.CELApplyConfiguration `json:"cel,omitempty"` Deny *DenyApplyConfiguration `json:"deny,omitempty"`
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
} }
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
@ -42,6 +45,27 @@ func Validation() *ValidationApplyConfiguration {
return &ValidationApplyConfiguration{} return &ValidationApplyConfiguration{}
} }
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
b.ValidationFailureAction = &value
return b
}
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithValidationFailureActionOverrides")
}
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
}
return b
}
// WithMessage sets the Message field in the declarative configuration to the given value // WithMessage sets the Message field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Message field is set to the value of the last call. // If called multiple times, the Message field is set to the value of the last call.
@ -53,7 +77,7 @@ func (b *ValidationApplyConfiguration) WithMessage(value string) *ValidationAppl
// WithManifests sets the Manifests field in the declarative configuration to the given value // WithManifests sets the Manifests field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Manifests field is set to the value of the last call. // If called multiple times, the Manifests field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyConfiguration) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithManifests(value *kyvernov1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
b.Manifests = value b.Manifests = value
return b return b
} }
@ -61,7 +85,7 @@ func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyCon
// WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration // WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations. // and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the ForEachValidation field. // If called multiple times, values provided by each call will be appended to the ForEachValidation field.
func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*v1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*kyvernov1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
for i := range values { for i := range values {
if values[i] == nil { if values[i] == nil {
panic("nil value passed to WithForEachValidation") panic("nil value passed to WithForEachValidation")
@ -98,7 +122,7 @@ func (b *ValidationApplyConfiguration) WithDeny(value *DenyApplyConfiguration) *
// WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value // WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the PodSecurity field is set to the value of the last call. // If called multiple times, the PodSecurity field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithPodSecurity(value *kyvernov1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
b.PodSecurity = value b.PodSecurity = value
return b return b
} }
@ -106,7 +130,7 @@ func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityAppl
// WithCEL sets the CEL field in the declarative configuration to the given value // WithCEL sets the CEL field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations. // and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the CEL field is set to the value of the last call. // If called multiple times, the CEL field is set to the value of the last call.
func (b *ValidationApplyConfiguration) WithCEL(value *v1.CELApplyConfiguration) *ValidationApplyConfiguration { func (b *ValidationApplyConfiguration) WithCEL(value *kyvernov1.CELApplyConfiguration) *ValidationApplyConfiguration {
b.CEL = value b.CEL = value
return b return b
} }

2
pkg/controllers/metrics/policy/metrics.go
View file

@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName()) logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
} }
// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() { if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() {
err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated) err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
if err != nil { if err != nil {
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName()) logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())

4
pkg/engine/api/engineresponse.go
View file

@ -199,7 +199,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
return "" return ""
} }
spec := pol.AsKyvernoPolicy().GetSpec() spec := pol.AsKyvernoPolicy().GetSpec()
for _, v := range spec.ValidationFailureActionOverrides { for _, v := range spec.GetValidationFailureActionOverrides() {
if !v.Action.IsValid() { if !v.Action.IsValid() {
continue continue
} }
@ -221,5 +221,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
} }
} }
} }
return spec.ValidationFailureAction return spec.GetValidationFailureAction()
} }

276
pkg/engine/api/engineresponse_test.go
View file

@ -680,6 +680,8 @@ func TestEngineResponse_GetSuccessRules(t *testing.T) {
func TestEngineResponse_GetValidationFailureAction(t *testing.T) { func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
resource := unstructured.Unstructured{} resource := unstructured.Unstructured{}
resource.SetNamespace("foo") resource.SetNamespace("foo")
audit := kyvernov1.Audit
enforce := kyvernov1.Enforce
type fields struct { type fields struct {
PatchedResource unstructured.Unstructured PatchedResource unstructured.Unstructured
GenericPolicy GenericPolicy GenericPolicy GenericPolicy
@ -708,6 +710,36 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}), }),
}, },
want: kyvernov1.Enforce, want: kyvernov1.Enforce,
}, {
fields: fields{
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &audit,
},
},
},
},
}),
},
want: kyvernov1.Audit,
}, {
fields: fields{
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
},
},
},
},
}),
},
want: kyvernov1.Enforce,
}, { }, {
fields: fields{ fields: fields{
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{ GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
@ -734,6 +766,44 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}), }),
}, },
want: kyvernov1.Enforce, want: kyvernov1.Enforce,
}, {
fields: fields{
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"*"},
}},
},
},
},
},
}),
},
want: kyvernov1.Audit,
}, {
fields: fields{
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: "invalid",
Namespaces: []string{"*"},
}},
},
},
},
},
}),
},
want: kyvernov1.Enforce,
}, { }, {
fields: fields{ fields: fields{
PatchedResource: resource, PatchedResource: resource,
@ -892,6 +962,212 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
}), }),
}, },
want: kyvernov1.Audit, want: kyvernov1.Audit,
}, {
fields: fields{
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"foo"},
}},
},
},
},
},
}),
},
want: kyvernov1.Audit,
}, {
fields: fields{
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"bar"},
}},
},
},
},
},
}),
},
want: kyvernov1.Enforce,
}, {
fields: fields{
namespaceLabels: map[string]string{
"foo": "bar",
},
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"bar": "foo",
},
},
}},
},
},
},
},
}),
},
want: kyvernov1.Enforce,
}, {
fields: fields{
namespaceLabels: map[string]string{
"foo": "bar",
},
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"foo": "bar",
},
},
}},
},
},
},
},
}),
},
want: kyvernov1.Audit,
}, {
fields: fields{
namespaceLabels: map[string]string{
"foo": "bar",
},
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"foo"},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"bar": "foo",
},
},
}},
},
},
},
},
}),
},
want: kyvernov1.Enforce,
}, {
fields: fields{
namespaceLabels: map[string]string{
"foo": "bar",
},
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"bar"},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"foo": "bar",
},
},
}},
},
},
},
},
}),
},
want: kyvernov1.Enforce,
}, {
fields: fields{
namespaceLabels: map[string]string{
"foo": "bar",
},
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"foo"},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"foo": "bar",
},
},
}},
},
},
},
},
}),
},
want: kyvernov1.Audit,
}, {
fields: fields{
namespaceLabels: map[string]string{
"foo": "bar",
},
PatchedResource: resource,
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
Action: kyvernov1.Audit,
Namespaces: []string{"*"},
NamespaceSelector: &metav1.LabelSelector{
MatchLabels: map[string]string{
"foo": "bar",
},
},
}},
},
},
},
},
}),
},
want: kyvernov1.Audit,
}} }}
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {

2
pkg/metrics/parsers.go
View file

@ -77,6 +77,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp
policyType = Namespaced policyType = Namespaced
} }
backgroundMode := ParsePolicyBackgroundMode(policy) backgroundMode := ParsePolicyBackgroundMode(policy)
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction) validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction())
return name, namespace, policyType, backgroundMode, validationMode, err return name, namespace, policyType, backgroundMode, validationMode, err
} }

4
pkg/policycache/cache.go
View file

@ -78,8 +78,8 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace
} }
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool { func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
validationFailureAction := policy.GetSpec().ValidationFailureAction validationFailureAction := policy.GetSpec().GetValidationFailureAction()
validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides()
if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) { if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
return false return false
} }

4
pkg/policycache/store.go
View file

@ -80,10 +80,10 @@ func newPolicyMap() *policyMap {
} }
func computeEnforcePolicy(spec *kyvernov1.Spec) bool { func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
if spec.ValidationFailureAction.Enforce() { if spec.GetValidationFailureAction().Enforce() {
return true return true
} }
for _, k := range spec.ValidationFailureActionOverrides { for _, k := range spec.GetValidationFailureActionOverrides() {
if k.Action.Enforce() { if k.Action.Enforce() {
return true return true
} }

2
pkg/validatingadmissionpolicy/builder.go
View file

@ -77,7 +77,7 @@ func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1al
// set validation action for vap binding // set validation action for vap binding
var validationActions []admissionregistrationv1alpha1.ValidationAction var validationActions []admissionregistrationv1alpha1.ValidationAction
action := cpol.GetSpec().ValidationFailureAction action := cpol.GetSpec().GetValidationFailureAction()
if action.Enforce() { if action.Enforce() {
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny) validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
} else if action.Audit() { } else if action.Audit() {

5
pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
View file

@ -19,12 +19,13 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
return false, msg return false, msg
} }
if len(spec.ValidationFailureActionOverrides) > 1 { validationFailureActionOverrides := spec.GetValidationFailureActionOverrides()
if len(validationFailureActionOverrides) > 1 {
msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable." msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable."
return false, msg return false, msg
} }
if len(spec.ValidationFailureActionOverrides) != 0 && len(spec.ValidationFailureActionOverrides[0].Namespaces) != 0 { if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 {
msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable." msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable."
return false, msg return false, msg
} }

104
pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
View file

@ -391,6 +391,110 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
] ]
} }
} }
`),
expected: false,
},
{
name: "policy-with-multiple-validationFailureActionOverrides-in-validate-rule",
policy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-host-path"
},
"spec": {
"rules": [
{
"name": "host-path",
"match": {
"any": [
{
"resources": {
"kinds": [
"Pod"
]
}
}
]
},
"validate": {
"validationFailureAction": "Enforce",
"validationFailureActionOverrides": [
{
"action": "Enforce",
"namespaces": [
"default"
]
},
{
"action": "Audit",
"namespaces": [
"test"
]
}
],
"cel": {
"expressions": [
{
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
}
]
}
}
}
]
}
}
`),
expected: false,
},
{
name: "policy-with-namespace-in-validationFailureActionOverrides-in-validate-rule",
policy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-host-path"
},
"spec": {
"rules": [
{
"name": "host-path",
"match": {
"any": [
{
"resources": {
"kinds": [
"Pod"
]
}
}
]
},
"validate": {
"validationFailureAction": "Enforce",
"validationFailureActionOverrides": [
{
"action": "Enforce",
"namespaces": [
"test-ns"
]
}
],
"cel": {
"expressions": [
{
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
}
]
}
}
}
]
}
}
`), `),
expected: false, expected: false,
}, },

8
pkg/validation/policy/validate.go
View file

@ -116,10 +116,10 @@ func validateJSONPatch(patch string, ruleIdx int) error {
func checkValidationFailureAction(spec *kyvernov1.Spec) []string { func checkValidationFailureAction(spec *kyvernov1.Spec) []string {
msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead." msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead."
if spec.ValidationFailureAction == "enforce" || spec.ValidationFailureAction == "audit" { if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" {
return []string{msg} return []string{msg}
} }
for _, override := range spec.ValidationFailureActionOverrides { for _, override := range spec.GetValidationFailureActionOverrides() {
if override.Action == "enforce" || override.Action == "audit" { if override.Action == "enforce" || override.Action == "audit" {
return []string{msg} return []string{msg}
} }
@ -326,7 +326,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
if rule.HasVerifyImages() { if rule.HasVerifyImages() {
isAuditFailureAction := false isAuditFailureAction := false
if spec.ValidationFailureAction == kyvernov1.Audit { if spec.GetValidationFailureAction() == kyvernov1.Audit {
isAuditFailureAction = true isAuditFailureAction = true
} }
@ -1555,7 +1555,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
"auditW": sets.New[string](), "auditW": sets.New[string](),
} }
for i, vfa := range s.ValidationFailureActionOverrides { for i, vfa := range s.GetValidationFailureActionOverrides() {
if !vfa.Action.IsValid() { if !vfa.Action.IsValid() {
return fmt.Errorf("invalid action") return fmt.Errorf("invalid action")
} }

2
pkg/webhooks/resource/validation/validation.go
View file

@ -117,7 +117,7 @@ func (v *validationHandler) HandleValidationEnforce(
engineResponses = append(engineResponses, engineResponse) engineResponses = append(engineResponses, engineResponse)
if !engineResponse.IsSuccessful() { if !engineResponse.IsSuccessful() {
logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules()) logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
return return
} }

1022
pkg/webhooks/resource/validation_test.go
View file

File diff suppressed because it is too large Load diff

116
pkg/webhooks/utils/block_test.go
View file

@ -62,6 +62,38 @@ func TestBlockRequest(t *testing.T) {
ValidationFailureAction: kyvernov1.Enforce, ValidationFailureAction: kyvernov1.Enforce,
}, },
}) })
audit := kyvernov1.Audit
auditRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
ObjectMeta: v1.ObjectMeta{
Name: "test",
},
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Name: "rule-audit",
Validation: kyvernov1.Validation{
ValidationFailureAction: &audit,
},
},
},
},
})
enforce := kyvernov1.Enforce
enforceRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
ObjectMeta: v1.ObjectMeta{
Name: "test",
},
Spec: kyvernov1.Spec{
Rules: []kyvernov1.Rule{
{
Name: "rule-enforce",
Validation: kyvernov1.Validation{
ValidationFailureAction: &enforce,
},
},
},
},
})
resource := unstructured.Unstructured{ resource := unstructured.Unstructured{
Object: map[string]interface{}{ Object: map[string]interface{}{
"kind": "foo", "kind": "foo",
@ -164,6 +196,90 @@ func TestBlockRequest(t *testing.T) {
log: logr.Discard(), log: logr.Discard(),
}, },
want: false, want: false,
}, {
name: "failure - enforce",
args: args{
engineResponses: []engineapi.EngineResponse{
engineapi.NewEngineResponse(resource, enforceRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
Rules: []engineapi.RuleResponse{
*engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
},
}),
},
failurePolicy: kyvernov1.Fail,
log: logr.Discard(),
},
want: true,
}, {
name: "failure - audit",
args: args{
engineResponses: []engineapi.EngineResponse{
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
Rules: []engineapi.RuleResponse{
*engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
},
}),
},
failurePolicy: kyvernov1.Fail,
log: logr.Discard(),
},
want: false,
}, {
name: "error - fail",
args: args{
engineResponses: []engineapi.EngineResponse{
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
Rules: []engineapi.RuleResponse{
*engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
},
}),
},
failurePolicy: kyvernov1.Fail,
log: logr.Discard(),
},
want: true,
}, {
name: "error - ignore",
args: args{
engineResponses: []engineapi.EngineResponse{
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
Rules: []engineapi.RuleResponse{
*engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
},
}),
},
failurePolicy: kyvernov1.Ignore,
log: logr.Discard(),
},
want: false,
}, {
name: "warning - ignore",
args: args{
engineResponses: []engineapi.EngineResponse{
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
Rules: []engineapi.RuleResponse{
*engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
},
}),
},
failurePolicy: kyvernov1.Ignore,
log: logr.Discard(),
},
want: false,
}, {
name: "warning - fail",
args: args{
engineResponses: []engineapi.EngineResponse{
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
Rules: []engineapi.RuleResponse{
*engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
},
}),
},
failurePolicy: kyvernov1.Fail,
log: logr.Discard(),
},
want: false,
}} }}
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {