mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
feat: migrate validationFailureAction and validationFailureActionOverrides (#10528)
* feat: migrate validationFailureAction and validationFailureActionOverrides under validate rule Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: add unit tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
88ae60ea9d
commit
ff88c4c39a
32 changed files with 4676 additions and 269 deletions
|
@ -419,6 +419,19 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) {
|
||||||
|
|
||||||
// Validation defines checks to be performed on matching resources.
|
// Validation defines checks to be performed on matching resources.
|
||||||
type Validation struct {
|
type Validation struct {
|
||||||
|
// ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
// the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
// and report an error in a policy report. Optional.
|
||||||
|
// Allowed values are audit or enforce.
|
||||||
|
// +optional
|
||||||
|
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||||
|
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||||
|
|
||||||
|
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
// +optional
|
||||||
|
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||||
|
|
||||||
// Message specifies a custom message to be displayed on failure.
|
// Message specifies a custom message to be displayed on failure.
|
||||||
// +optional
|
// +optional
|
||||||
Message string `json:"message,omitempty" yaml:"message,omitempty"`
|
Message string `json:"message,omitempty" yaml:"message,omitempty"`
|
||||||
|
|
|
@ -63,18 +63,12 @@ type Spec struct {
|
||||||
// Deprecated, use failurePolicy under the webhookConfiguration instead.
|
// Deprecated, use failurePolicy under the webhookConfiguration instead.
|
||||||
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
|
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
|
||||||
|
|
||||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
// Deprecated, use validationFailureAction under the validate rule instead.
|
||||||
// the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
// and report an error in a policy report. Optional.
|
|
||||||
// Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
// +optional
|
|
||||||
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||||
// +kubebuilder:default=Audit
|
// +kubebuilder:default=Audit
|
||||||
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||||
|
|
||||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
// Deprecated, use validationFailureActionOverrides under the validate rule instead.
|
||||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
// +optional
|
|
||||||
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||||
|
|
||||||
// Admission controls if rules are applied during admission.
|
// Admission controls if rules are applied during admission.
|
||||||
|
@ -234,6 +228,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
|
||||||
return *s.Background
|
return *s.Background
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetValidationFailureAction returns the value of the validationFailureAction
|
||||||
|
func (s *Spec) GetValidationFailureAction() ValidationFailureAction {
|
||||||
|
for _, rule := range s.Rules {
|
||||||
|
if rule.HasValidate() {
|
||||||
|
validationFailureAction := rule.Validation.ValidationFailureAction
|
||||||
|
if validationFailureAction != nil {
|
||||||
|
return *validationFailureAction
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return s.ValidationFailureAction
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides
|
||||||
|
func (s *Spec) GetValidationFailureActionOverrides() []ValidationFailureActionOverride {
|
||||||
|
for _, rule := range s.Rules {
|
||||||
|
if rule.HasValidate() {
|
||||||
|
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
||||||
|
if len(validationFailureActionOverrides) != 0 {
|
||||||
|
return validationFailureActionOverrides
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return s.ValidationFailureActionOverrides
|
||||||
|
}
|
||||||
|
|
||||||
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
|
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
|
||||||
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
||||||
for _, rule := range s.Rules {
|
for _, rule := range s.Rules {
|
||||||
|
|
|
@ -1585,6 +1585,18 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *Validation) DeepCopyInto(out *Validation) {
|
func (in *Validation) DeepCopyInto(out *Validation) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.ValidationFailureAction != nil {
|
||||||
|
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
||||||
|
*out = new(ValidationFailureAction)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
|
if in.ValidationFailureActionOverrides != nil {
|
||||||
|
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
|
||||||
|
*out = make([]ValidationFailureActionOverride, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
if in.Manifests != nil {
|
if in.Manifests != nil {
|
||||||
in, out := &in.Manifests, &out.Manifests
|
in, out := &in.Manifests, &out.Manifests
|
||||||
*out = new(Manifests)
|
*out = new(Manifests)
|
||||||
|
|
|
@ -8,6 +8,19 @@ import (
|
||||||
|
|
||||||
// Validation defines checks to be performed on matching resources.
|
// Validation defines checks to be performed on matching resources.
|
||||||
type Validation struct {
|
type Validation struct {
|
||||||
|
// ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
// the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
// and report an error in a policy report. Optional.
|
||||||
|
// Allowed values are audit or enforce.
|
||||||
|
// +optional
|
||||||
|
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||||
|
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||||
|
|
||||||
|
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
// +optional
|
||||||
|
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||||
|
|
||||||
// Message specifies a custom message to be displayed on failure.
|
// Message specifies a custom message to be displayed on failure.
|
||||||
// +optional
|
// +optional
|
||||||
Message string `json:"message,omitempty" yaml:"message,omitempty"`
|
Message string `json:"message,omitempty" yaml:"message,omitempty"`
|
||||||
|
|
|
@ -26,18 +26,12 @@ type Spec struct {
|
||||||
// Deprecated, use failurePolicy under the webhookConfiguration instead.
|
// Deprecated, use failurePolicy under the webhookConfiguration instead.
|
||||||
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
|
FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
|
||||||
|
|
||||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
// Deprecated, use validationFailureAction under the validate rule instead.
|
||||||
// the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
// and report an error in a policy report. Optional.
|
|
||||||
// Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
// +optional
|
|
||||||
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
|
||||||
// +kubebuilder:default=Audit
|
// +kubebuilder:default=Audit
|
||||||
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
||||||
|
|
||||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
// Deprecated, use validationFailureActionOverrides under the validate rule instead.
|
||||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
// +optional
|
|
||||||
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
||||||
|
|
||||||
// Admission controls if rules are applied during admission.
|
// Admission controls if rules are applied during admission.
|
||||||
|
@ -203,6 +197,32 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
|
||||||
return *s.Background
|
return *s.Background
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetValidationFailureAction returns the value of the validationFailureAction
|
||||||
|
func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
|
||||||
|
for _, rule := range s.Rules {
|
||||||
|
if rule.HasValidate() {
|
||||||
|
validationFailureAction := rule.Validation.ValidationFailureAction
|
||||||
|
if validationFailureAction != nil {
|
||||||
|
return *validationFailureAction
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return s.ValidationFailureAction
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetValidationFailureActionOverrides returns the value of the validationFailureActionOverrides
|
||||||
|
func (s *Spec) GetValidationFailureActionOverrides() []kyvernov1.ValidationFailureActionOverride {
|
||||||
|
for _, rule := range s.Rules {
|
||||||
|
if rule.HasValidate() {
|
||||||
|
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
||||||
|
if len(validationFailureActionOverrides) != 0 {
|
||||||
|
return validationFailureActionOverrides
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return s.ValidationFailureActionOverrides
|
||||||
|
}
|
||||||
|
|
||||||
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
|
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
|
||||||
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
|
||||||
for _, rule := range s.Rules {
|
for _, rule := range s.Rules {
|
||||||
|
|
|
@ -831,6 +831,18 @@ func (in *Spec) DeepCopy() *Spec {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *Validation) DeepCopyInto(out *Validation) {
|
func (in *Validation) DeepCopyInto(out *Validation) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
if in.ValidationFailureAction != nil {
|
||||||
|
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
||||||
|
*out = new(v1.ValidationFailureAction)
|
||||||
|
**out = **in
|
||||||
|
}
|
||||||
|
if in.ValidationFailureActionOverrides != nil {
|
||||||
|
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
|
||||||
|
*out = make([]v1.ValidationFailureActionOverride, len(*in))
|
||||||
|
for i := range *in {
|
||||||
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
}
|
||||||
|
}
|
||||||
if in.Manifests != nil {
|
if in.Manifests != nil {
|
||||||
in, out := &in.Manifests, &out.Manifests
|
in, out := &in.Manifests, &out.Manifests
|
||||||
*out = new(v1.Manifests)
|
*out = new(v1.Manifests)
|
||||||
|
|
|
@ -3429,6 +3429,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4212,11 +4295,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -4224,9 +4304,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -7713,6 +7792,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -11797,6 +11959,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -12549,11 +12794,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -12561,9 +12803,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -16050,6 +16291,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -3430,6 +3430,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4213,11 +4296,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -4225,9 +4305,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -7715,6 +7794,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -11800,6 +11962,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -12552,11 +12797,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -12564,9 +12806,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -16053,6 +16294,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -3423,6 +3423,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4206,11 +4289,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -4218,9 +4298,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -7707,6 +7786,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -11791,6 +11953,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -12543,11 +12788,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -12555,9 +12797,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -16044,6 +16285,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -3424,6 +3424,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4207,11 +4290,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -4219,9 +4299,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -7709,6 +7788,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -11794,6 +11956,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -12546,11 +12791,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -12558,9 +12800,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -16047,6 +16288,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -110,7 +110,7 @@ func TestLoadWithKubectlValidate(t *testing.T) {
|
||||||
assert.NotNil(t, policy)
|
assert.NotNil(t, policy)
|
||||||
spec := policy.GetSpec()
|
spec := policy.GetSpec()
|
||||||
assert.NotNil(t, spec)
|
assert.NotNil(t, spec)
|
||||||
assert.True(t, spec.ValidationFailureAction.Audit())
|
assert.True(t, spec.GetValidationFailureAction().Audit())
|
||||||
assert.NotNil(t, spec.Background)
|
assert.NotNil(t, spec.Background)
|
||||||
assert.True(t, *spec.Background)
|
assert.True(t, *spec.Background)
|
||||||
assert.NotNil(t, spec.Admission)
|
assert.NotNil(t, spec.Admission)
|
||||||
|
|
|
@ -3423,6 +3423,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4206,11 +4289,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -4218,9 +4298,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -7707,6 +7786,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -11791,6 +11953,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -12543,11 +12788,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -12555,9 +12797,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -16044,6 +16285,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -3424,6 +3424,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4207,11 +4290,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -4219,9 +4299,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -7709,6 +7788,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -11794,6 +11956,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -12546,11 +12791,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -12558,9 +12800,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -16047,6 +16288,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -8630,6 +8630,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9413,11 +9496,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -9425,9 +9505,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -12914,6 +12993,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -16998,6 +17160,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -17750,11 +17995,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -17762,9 +18004,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -21251,6 +21492,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -25845,6 +26169,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -26628,11 +27035,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -26640,9 +27044,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -30130,6 +30533,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -34215,6 +34701,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -34967,11 +35536,8 @@ spec:
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
validationFailureAction:
|
||||||
default: Audit
|
default: Audit
|
||||||
description: |-
|
description: Deprecated, use validationFailureAction under the validate
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
rule instead.
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".
|
|
||||||
enum:
|
enum:
|
||||||
- audit
|
- audit
|
||||||
- enforce
|
- enforce
|
||||||
|
@ -34979,9 +35545,8 @@ spec:
|
||||||
- Enforce
|
- Enforce
|
||||||
type: string
|
type: string
|
||||||
validationFailureActionOverrides:
|
validationFailureActionOverrides:
|
||||||
description: |-
|
description: Deprecated, use validationFailureActionOverrides under
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
the validate rule instead.
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
items:
|
||||||
properties:
|
properties:
|
||||||
action:
|
action:
|
||||||
|
@ -38468,6 +39033,89 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
|
validationFailureAction:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
validationFailureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
|
|
@ -160,11 +160,7 @@ ValidationFailureAction
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -177,9 +173,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -428,11 +422,7 @@ ValidationFailureAction
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -445,9 +435,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -3951,11 +3939,7 @@ ValidationFailureAction
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -3968,9 +3952,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -4377,6 +4359,38 @@ It is an empty string when validating admission policy is successfully generated
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
|
<code>validationFailureAction</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||||
|
ValidationFailureAction
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>validationFailureActionOverrides</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
||||||
|
[]ValidationFailureActionOverride
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
<code>message</code><br/>
|
<code>message</code><br/>
|
||||||
<em>
|
<em>
|
||||||
string
|
string
|
||||||
|
@ -4495,8 +4509,10 @@ CEL
|
||||||
<p>
|
<p>
|
||||||
(<em>Appears on:</em>
|
(<em>Appears on:</em>
|
||||||
<a href="#kyverno.io/v1.Spec">Spec</a>,
|
<a href="#kyverno.io/v1.Spec">Spec</a>,
|
||||||
|
<a href="#kyverno.io/v1.Validation">Validation</a>,
|
||||||
<a href="#kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride</a>,
|
<a href="#kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride</a>,
|
||||||
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
|
<a href="#kyverno.io/v2beta1.Spec">Spec</a>,
|
||||||
|
<a href="#kyverno.io/v2beta1.Validation">Validation</a>)
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
<p>ValidationFailureAction defines the policy validation failure action</p>
|
<p>ValidationFailureAction defines the policy validation failure action</p>
|
||||||
|
@ -4506,7 +4522,9 @@ CEL
|
||||||
<p>
|
<p>
|
||||||
(<em>Appears on:</em>
|
(<em>Appears on:</em>
|
||||||
<a href="#kyverno.io/v1.Spec">Spec</a>,
|
<a href="#kyverno.io/v1.Spec">Spec</a>,
|
||||||
<a href="#kyverno.io/v2beta1.Spec">Spec</a>)
|
<a href="#kyverno.io/v1.Validation">Validation</a>,
|
||||||
|
<a href="#kyverno.io/v2beta1.Spec">Spec</a>,
|
||||||
|
<a href="#kyverno.io/v2beta1.Validation">Validation</a>)
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
</p>
|
</p>
|
||||||
|
@ -7375,11 +7393,7 @@ ValidationFailureAction
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -7392,9 +7406,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -7642,11 +7654,7 @@ ValidationFailureAction
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -7659,9 +7667,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -9029,11 +9035,7 @@ ValidationFailureAction
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is “Audit”.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -9046,9 +9048,7 @@ Allowed values are audit or enforce. The default value is “Audit”.</
|
||||||
</em>
|
</em>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -9185,6 +9185,38 @@ WebhookConfiguration
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
|
<code>validationFailureAction</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||||
|
ValidationFailureAction
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
|
<code>validationFailureActionOverrides</code><br/>
|
||||||
|
<em>
|
||||||
|
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
||||||
|
[]ValidationFailureActionOverride
|
||||||
|
</a>
|
||||||
|
</em>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<em>(Optional)</em>
|
||||||
|
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
<tr>
|
||||||
|
<td>
|
||||||
<code>message</code><br/>
|
<code>message</code><br/>
|
||||||
<em>
|
<em>
|
||||||
string
|
string
|
||||||
|
|
|
@ -235,6 +235,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -249,10 +251,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -267,6 +266,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -281,8 +282,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -792,6 +792,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -806,10 +808,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -824,6 +823,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -838,8 +839,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -7827,6 +7827,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -7841,10 +7843,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -7859,6 +7858,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -7873,8 +7874,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -8740,6 +8740,68 @@ It is an empty string when validating admission policy is successfully generated
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<a href="#kyverno-io-v1-ValidationFailureAction">
|
||||||
|
<span style="font-family: monospace">ValidationFailureAction</span>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
|
||||||
|
|
||||||
|
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<a href="#kyverno-io-v1-ValidationFailureActionOverride">
|
||||||
|
<span style="font-family: monospace">[]ValidationFailureActionOverride</span>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
|
||||||
|
|
||||||
|
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>message</code>
|
<td><code>message</code>
|
||||||
|
|
||||||
|
@ -8979,6 +9041,7 @@ by specifying exclusions for Pod Security Standards controls.</p>
|
||||||
<p>
|
<p>
|
||||||
(<em>Appears in:</em>
|
(<em>Appears in:</em>
|
||||||
<a href="#kyverno-io-v1-Spec">Spec</a>,
|
<a href="#kyverno-io-v1-Spec">Spec</a>,
|
||||||
|
<a href="#kyverno-io-v1-Validation">Validation</a>,
|
||||||
<a href="#kyverno-io-v1-ValidationFailureActionOverride">ValidationFailureActionOverride</a>)
|
<a href="#kyverno-io-v1-ValidationFailureActionOverride">ValidationFailureActionOverride</a>)
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
@ -8994,7 +9057,8 @@ by specifying exclusions for Pod Security Standards controls.</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
(<em>Appears in:</em>
|
(<em>Appears in:</em>
|
||||||
<a href="#kyverno-io-v1-Spec">Spec</a>)
|
<a href="#kyverno-io-v1-Spec">Spec</a>,
|
||||||
|
<a href="#kyverno-io-v1-Validation">Validation</a>)
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -835,6 +835,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -849,10 +851,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -867,6 +866,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -881,8 +882,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1394,6 +1394,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -1408,10 +1410,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1426,6 +1425,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -1440,8 +1441,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -4165,6 +4165,8 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -4179,10 +4181,7 @@ set to <code>All</code> all rules in the policy are processed. The default is <c
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>Deprecated, use validationFailureAction under the validate rule instead.</p>
|
||||||
the admission review request (enforce), or allow (audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are audit or enforce. The default value is "Audit".</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -4197,6 +4196,8 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
<span style="color:blue;"> *</span>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
@ -4211,8 +4212,7 @@ Allowed values are audit or enforce. The default value is "Audit".</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>Deprecated, use validationFailureActionOverrides under the validate rule instead.</p>
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -4516,6 +4516,68 @@ Defaults to "false" if not specified.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><code>validationFailureAction</code>
|
||||||
|
|
||||||
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<a href="#kyverno-io-v1-ValidationFailureAction">
|
||||||
|
<span style="font-family: monospace">ValidationFailureAction</span>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
|
||||||
|
|
||||||
|
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (enforce), or allow (audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are audit or enforce.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<tr>
|
||||||
|
<td><code>validationFailureActionOverrides</code>
|
||||||
|
|
||||||
|
</br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<a href="#kyverno-io-v1-ValidationFailureActionOverride">
|
||||||
|
<span style="font-family: monospace">[]ValidationFailureActionOverride</span>
|
||||||
|
</a>
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
|
||||||
|
|
||||||
|
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
||||||
|
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>message</code>
|
<td><code>message</code>
|
||||||
|
|
||||||
|
|
|
@ -19,20 +19,23 @@ limitations under the License.
|
||||||
package v1
|
package v1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
||||||
// with apply.
|
// with apply.
|
||||||
type ValidationApplyConfiguration struct {
|
type ValidationApplyConfiguration struct {
|
||||||
Message *string `json:"message,omitempty"`
|
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
||||||
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
|
||||||
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
Message *string `json:"message,omitempty"`
|
||||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||||
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||||
CEL *CELApplyConfiguration `json:"cel,omitempty"`
|
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||||
|
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||||
|
CEL *CELApplyConfiguration `json:"cel,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
||||||
|
@ -41,6 +44,27 @@ func Validation() *ValidationApplyConfiguration {
|
||||||
return &ValidationApplyConfiguration{}
|
return &ValidationApplyConfiguration{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
||||||
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
|
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
||||||
|
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
||||||
|
b.ValidationFailureAction = &value
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
|
||||||
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
|
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
|
||||||
|
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
|
for i := range values {
|
||||||
|
if values[i] == nil {
|
||||||
|
panic("nil value passed to WithValidationFailureActionOverrides")
|
||||||
|
}
|
||||||
|
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
// WithMessage sets the Message field in the declarative configuration to the given value
|
// WithMessage sets the Message field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the Message field is set to the value of the last call.
|
// If called multiple times, the Message field is set to the value of the last call.
|
||||||
|
|
|
@ -19,21 +19,24 @@ limitations under the License.
|
||||||
package v2beta1
|
package v2beta1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
|
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
|
kyvernov1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
|
||||||
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
||||||
// with apply.
|
// with apply.
|
||||||
type ValidationApplyConfiguration struct {
|
type ValidationApplyConfiguration struct {
|
||||||
Message *string `json:"message,omitempty"`
|
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
||||||
Manifests *v1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
|
||||||
ForEachValidation []v1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
Message *string `json:"message,omitempty"`
|
||||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||||
PodSecurity *v1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||||
CEL *v1.CELApplyConfiguration `json:"cel,omitempty"`
|
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||||
|
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||||
|
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
||||||
|
@ -42,6 +45,27 @@ func Validation() *ValidationApplyConfiguration {
|
||||||
return &ValidationApplyConfiguration{}
|
return &ValidationApplyConfiguration{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
||||||
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
|
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
||||||
|
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
||||||
|
b.ValidationFailureAction = &value
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
|
||||||
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
|
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
|
||||||
|
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
|
for i := range values {
|
||||||
|
if values[i] == nil {
|
||||||
|
panic("nil value passed to WithValidationFailureActionOverrides")
|
||||||
|
}
|
||||||
|
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
|
||||||
|
}
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
// WithMessage sets the Message field in the declarative configuration to the given value
|
// WithMessage sets the Message field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the Message field is set to the value of the last call.
|
// If called multiple times, the Message field is set to the value of the last call.
|
||||||
|
@ -53,7 +77,7 @@ func (b *ValidationApplyConfiguration) WithMessage(value string) *ValidationAppl
|
||||||
// WithManifests sets the Manifests field in the declarative configuration to the given value
|
// WithManifests sets the Manifests field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the Manifests field is set to the value of the last call.
|
// If called multiple times, the Manifests field is set to the value of the last call.
|
||||||
func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithManifests(value *kyvernov1.ManifestsApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
b.Manifests = value
|
b.Manifests = value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
@ -61,7 +85,7 @@ func (b *ValidationApplyConfiguration) WithManifests(value *v1.ManifestsApplyCon
|
||||||
// WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration
|
// WithForEachValidation adds the given value to the ForEachValidation field in the declarative configuration
|
||||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
// If called multiple times, values provided by each call will be appended to the ForEachValidation field.
|
// If called multiple times, values provided by each call will be appended to the ForEachValidation field.
|
||||||
func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*v1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithForEachValidation(values ...*kyvernov1.ForEachValidationApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
for i := range values {
|
for i := range values {
|
||||||
if values[i] == nil {
|
if values[i] == nil {
|
||||||
panic("nil value passed to WithForEachValidation")
|
panic("nil value passed to WithForEachValidation")
|
||||||
|
@ -98,7 +122,7 @@ func (b *ValidationApplyConfiguration) WithDeny(value *DenyApplyConfiguration) *
|
||||||
// WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value
|
// WithPodSecurity sets the PodSecurity field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the PodSecurity field is set to the value of the last call.
|
// If called multiple times, the PodSecurity field is set to the value of the last call.
|
||||||
func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithPodSecurity(value *kyvernov1.PodSecurityApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
b.PodSecurity = value
|
b.PodSecurity = value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
@ -106,7 +130,7 @@ func (b *ValidationApplyConfiguration) WithPodSecurity(value *v1.PodSecurityAppl
|
||||||
// WithCEL sets the CEL field in the declarative configuration to the given value
|
// WithCEL sets the CEL field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the CEL field is set to the value of the last call.
|
// If called multiple times, the CEL field is set to the value of the last call.
|
||||||
func (b *ValidationApplyConfiguration) WithCEL(value *v1.CELApplyConfiguration) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithCEL(value *kyvernov1.CELApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
b.CEL = value
|
b.CEL = value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,7 +27,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(ctx context.Contex
|
||||||
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
|
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
|
||||||
}
|
}
|
||||||
// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
|
// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
|
||||||
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() {
|
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction().Enforce() != oldSpec.GetValidationFailureAction().Enforce() {
|
||||||
err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
|
err = policyChangesMetric.RegisterPolicy(ctx, pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())
|
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())
|
||||||
|
|
|
@ -199,7 +199,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
spec := pol.AsKyvernoPolicy().GetSpec()
|
spec := pol.AsKyvernoPolicy().GetSpec()
|
||||||
for _, v := range spec.ValidationFailureActionOverrides {
|
for _, v := range spec.GetValidationFailureActionOverrides() {
|
||||||
if !v.Action.IsValid() {
|
if !v.Action.IsValid() {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -221,5 +221,5 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return spec.ValidationFailureAction
|
return spec.GetValidationFailureAction()
|
||||||
}
|
}
|
||||||
|
|
|
@ -680,6 +680,8 @@ func TestEngineResponse_GetSuccessRules(t *testing.T) {
|
||||||
func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
resource := unstructured.Unstructured{}
|
resource := unstructured.Unstructured{}
|
||||||
resource.SetNamespace("foo")
|
resource.SetNamespace("foo")
|
||||||
|
audit := kyvernov1.Audit
|
||||||
|
enforce := kyvernov1.Enforce
|
||||||
type fields struct {
|
type fields struct {
|
||||||
PatchedResource unstructured.Unstructured
|
PatchedResource unstructured.Unstructured
|
||||||
GenericPolicy GenericPolicy
|
GenericPolicy GenericPolicy
|
||||||
|
@ -708,6 +710,36 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
}),
|
}),
|
||||||
},
|
},
|
||||||
want: kyvernov1.Enforce,
|
want: kyvernov1.Enforce,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &audit,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Audit,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Enforce,
|
||||||
}, {
|
}, {
|
||||||
fields: fields{
|
fields: fields{
|
||||||
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
@ -734,6 +766,44 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
}),
|
}),
|
||||||
},
|
},
|
||||||
want: kyvernov1.Enforce,
|
want: kyvernov1.Enforce,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"*"},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Audit,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: "invalid",
|
||||||
|
Namespaces: []string{"*"},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Enforce,
|
||||||
}, {
|
}, {
|
||||||
fields: fields{
|
fields: fields{
|
||||||
PatchedResource: resource,
|
PatchedResource: resource,
|
||||||
|
@ -892,6 +962,212 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
}),
|
}),
|
||||||
},
|
},
|
||||||
want: kyvernov1.Audit,
|
want: kyvernov1.Audit,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"foo"},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Audit,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"bar"},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Enforce,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
namespaceLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
MatchLabels: map[string]string{
|
||||||
|
"bar": "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Enforce,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
namespaceLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
MatchLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Audit,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
namespaceLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"foo"},
|
||||||
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
MatchLabels: map[string]string{
|
||||||
|
"bar": "foo",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Enforce,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
namespaceLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"bar"},
|
||||||
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
MatchLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Enforce,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
namespaceLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"foo"},
|
||||||
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
MatchLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Audit,
|
||||||
|
}, {
|
||||||
|
fields: fields{
|
||||||
|
namespaceLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
PatchedResource: resource,
|
||||||
|
GenericPolicy: NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
|
Action: kyvernov1.Audit,
|
||||||
|
Namespaces: []string{"*"},
|
||||||
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
MatchLabels: map[string]string{
|
||||||
|
"foo": "bar",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
want: kyvernov1.Audit,
|
||||||
}}
|
}}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
|
|
@ -77,6 +77,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp
|
||||||
policyType = Namespaced
|
policyType = Namespaced
|
||||||
}
|
}
|
||||||
backgroundMode := ParsePolicyBackgroundMode(policy)
|
backgroundMode := ParsePolicyBackgroundMode(policy)
|
||||||
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction)
|
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction())
|
||||||
return name, namespace, policyType, backgroundMode, validationMode, err
|
return name, namespace, policyType, backgroundMode, validationMode, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -78,8 +78,8 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace
|
||||||
}
|
}
|
||||||
|
|
||||||
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
|
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
|
||||||
validationFailureAction := policy.GetSpec().ValidationFailureAction
|
validationFailureAction := policy.GetSpec().GetValidationFailureAction()
|
||||||
validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides
|
validationFailureActionOverrides := policy.GetSpec().GetValidationFailureActionOverrides()
|
||||||
if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
|
if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
|
@ -80,10 +80,10 @@ func newPolicyMap() *policyMap {
|
||||||
}
|
}
|
||||||
|
|
||||||
func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
|
func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
|
||||||
if spec.ValidationFailureAction.Enforce() {
|
if spec.GetValidationFailureAction().Enforce() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
for _, k := range spec.ValidationFailureActionOverrides {
|
for _, k := range spec.GetValidationFailureActionOverrides() {
|
||||||
if k.Action.Enforce() {
|
if k.Action.Enforce() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
@ -77,7 +77,7 @@ func BuildValidatingAdmissionPolicyBinding(vapbinding *admissionregistrationv1al
|
||||||
|
|
||||||
// set validation action for vap binding
|
// set validation action for vap binding
|
||||||
var validationActions []admissionregistrationv1alpha1.ValidationAction
|
var validationActions []admissionregistrationv1alpha1.ValidationAction
|
||||||
action := cpol.GetSpec().ValidationFailureAction
|
action := cpol.GetSpec().GetValidationFailureAction()
|
||||||
if action.Enforce() {
|
if action.Enforce() {
|
||||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
||||||
} else if action.Audit() {
|
} else if action.Audit() {
|
||||||
|
|
|
@ -19,12 +19,13 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
|
||||||
return false, msg
|
return false, msg
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(spec.ValidationFailureActionOverrides) > 1 {
|
validationFailureActionOverrides := spec.GetValidationFailureActionOverrides()
|
||||||
|
if len(validationFailureActionOverrides) > 1 {
|
||||||
msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable."
|
msg = "skip generating ValidatingAdmissionPolicy: multiple validationFailureActionOverrides are not applicable."
|
||||||
return false, msg
|
return false, msg
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(spec.ValidationFailureActionOverrides) != 0 && len(spec.ValidationFailureActionOverrides[0].Namespaces) != 0 {
|
if len(validationFailureActionOverrides) != 0 && len(validationFailureActionOverrides[0].Namespaces) != 0 {
|
||||||
msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable."
|
msg = "skip generating ValidatingAdmissionPolicy: Namespaces in validationFailureActionOverrides is not applicable."
|
||||||
return false, msg
|
return false, msg
|
||||||
}
|
}
|
||||||
|
|
|
@ -391,6 +391,110 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
`),
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "policy-with-multiple-validationFailureActionOverrides-in-validate-rule",
|
||||||
|
policy: []byte(`
|
||||||
|
{
|
||||||
|
"apiVersion": "kyverno.io/v1",
|
||||||
|
"kind": "ClusterPolicy",
|
||||||
|
"metadata": {
|
||||||
|
"name": "disallow-host-path"
|
||||||
|
},
|
||||||
|
"spec": {
|
||||||
|
"rules": [
|
||||||
|
{
|
||||||
|
"name": "host-path",
|
||||||
|
"match": {
|
||||||
|
"any": [
|
||||||
|
{
|
||||||
|
"resources": {
|
||||||
|
"kinds": [
|
||||||
|
"Pod"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"validate": {
|
||||||
|
"validationFailureAction": "Enforce",
|
||||||
|
"validationFailureActionOverrides": [
|
||||||
|
{
|
||||||
|
"action": "Enforce",
|
||||||
|
"namespaces": [
|
||||||
|
"default"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"action": "Audit",
|
||||||
|
"namespaces": [
|
||||||
|
"test"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"cel": {
|
||||||
|
"expressions": [
|
||||||
|
{
|
||||||
|
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
`),
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "policy-with-namespace-in-validationFailureActionOverrides-in-validate-rule",
|
||||||
|
policy: []byte(`
|
||||||
|
{
|
||||||
|
"apiVersion": "kyverno.io/v1",
|
||||||
|
"kind": "ClusterPolicy",
|
||||||
|
"metadata": {
|
||||||
|
"name": "disallow-host-path"
|
||||||
|
},
|
||||||
|
"spec": {
|
||||||
|
"rules": [
|
||||||
|
{
|
||||||
|
"name": "host-path",
|
||||||
|
"match": {
|
||||||
|
"any": [
|
||||||
|
{
|
||||||
|
"resources": {
|
||||||
|
"kinds": [
|
||||||
|
"Pod"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"validate": {
|
||||||
|
"validationFailureAction": "Enforce",
|
||||||
|
"validationFailureActionOverrides": [
|
||||||
|
{
|
||||||
|
"action": "Enforce",
|
||||||
|
"namespaces": [
|
||||||
|
"test-ns"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"cel": {
|
||||||
|
"expressions": [
|
||||||
|
{
|
||||||
|
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
`),
|
`),
|
||||||
expected: false,
|
expected: false,
|
||||||
},
|
},
|
||||||
|
|
|
@ -116,10 +116,10 @@ func validateJSONPatch(patch string, ruleIdx int) error {
|
||||||
|
|
||||||
func checkValidationFailureAction(spec *kyvernov1.Spec) []string {
|
func checkValidationFailureAction(spec *kyvernov1.Spec) []string {
|
||||||
msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead."
|
msg := "Validation failure actions enforce/audit are deprecated, use Enforce/Audit instead."
|
||||||
if spec.ValidationFailureAction == "enforce" || spec.ValidationFailureAction == "audit" {
|
if spec.GetValidationFailureAction() == "enforce" || spec.GetValidationFailureAction() == "audit" {
|
||||||
return []string{msg}
|
return []string{msg}
|
||||||
}
|
}
|
||||||
for _, override := range spec.ValidationFailureActionOverrides {
|
for _, override := range spec.GetValidationFailureActionOverrides() {
|
||||||
if override.Action == "enforce" || override.Action == "audit" {
|
if override.Action == "enforce" || override.Action == "audit" {
|
||||||
return []string{msg}
|
return []string{msg}
|
||||||
}
|
}
|
||||||
|
@ -326,7 +326,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
||||||
|
|
||||||
if rule.HasVerifyImages() {
|
if rule.HasVerifyImages() {
|
||||||
isAuditFailureAction := false
|
isAuditFailureAction := false
|
||||||
if spec.ValidationFailureAction == kyvernov1.Audit {
|
if spec.GetValidationFailureAction() == kyvernov1.Audit {
|
||||||
isAuditFailureAction = true
|
isAuditFailureAction = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1555,7 +1555,7 @@ func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
|
||||||
"auditW": sets.New[string](),
|
"auditW": sets.New[string](),
|
||||||
}
|
}
|
||||||
|
|
||||||
for i, vfa := range s.ValidationFailureActionOverrides {
|
for i, vfa := range s.GetValidationFailureActionOverrides() {
|
||||||
if !vfa.Action.IsValid() {
|
if !vfa.Action.IsValid() {
|
||||||
return fmt.Errorf("invalid action")
|
return fmt.Errorf("invalid action")
|
||||||
}
|
}
|
||||||
|
|
|
@ -117,7 +117,7 @@ func (v *validationHandler) HandleValidationEnforce(
|
||||||
|
|
||||||
engineResponses = append(engineResponses, engineResponse)
|
engineResponses = append(engineResponses, engineResponse)
|
||||||
if !engineResponse.IsSuccessful() {
|
if !engineResponse.IsSuccessful() {
|
||||||
logger.V(2).Info("validation failed", "action", policy.GetSpec().ValidationFailureAction, "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
|
logger.V(2).Info("validation failed", "action", policy.GetSpec().GetValidationFailureAction(), "policy", policy.GetName(), "failed rules", engineResponse.GetFailedRules())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -62,6 +62,38 @@ func TestBlockRequest(t *testing.T) {
|
||||||
ValidationFailureAction: kyvernov1.Enforce,
|
ValidationFailureAction: kyvernov1.Enforce,
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
audit := kyvernov1.Audit
|
||||||
|
auditRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
ObjectMeta: v1.ObjectMeta{
|
||||||
|
Name: "test",
|
||||||
|
},
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Name: "rule-audit",
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &audit,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
|
enforce := kyvernov1.Enforce
|
||||||
|
enforceRule := engineapi.NewKyvernoPolicy(&kyvernov1.ClusterPolicy{
|
||||||
|
ObjectMeta: v1.ObjectMeta{
|
||||||
|
Name: "test",
|
||||||
|
},
|
||||||
|
Spec: kyvernov1.Spec{
|
||||||
|
Rules: []kyvernov1.Rule{
|
||||||
|
{
|
||||||
|
Name: "rule-enforce",
|
||||||
|
Validation: kyvernov1.Validation{
|
||||||
|
ValidationFailureAction: &enforce,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
})
|
||||||
resource := unstructured.Unstructured{
|
resource := unstructured.Unstructured{
|
||||||
Object: map[string]interface{}{
|
Object: map[string]interface{}{
|
||||||
"kind": "foo",
|
"kind": "foo",
|
||||||
|
@ -164,6 +196,90 @@ func TestBlockRequest(t *testing.T) {
|
||||||
log: logr.Discard(),
|
log: logr.Discard(),
|
||||||
},
|
},
|
||||||
want: false,
|
want: false,
|
||||||
|
}, {
|
||||||
|
name: "failure - enforce",
|
||||||
|
args: args{
|
||||||
|
engineResponses: []engineapi.EngineResponse{
|
||||||
|
engineapi.NewEngineResponse(resource, enforceRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||||
|
Rules: []engineapi.RuleResponse{
|
||||||
|
*engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
failurePolicy: kyvernov1.Fail,
|
||||||
|
log: logr.Discard(),
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
}, {
|
||||||
|
name: "failure - audit",
|
||||||
|
args: args{
|
||||||
|
engineResponses: []engineapi.EngineResponse{
|
||||||
|
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||||
|
Rules: []engineapi.RuleResponse{
|
||||||
|
*engineapi.RuleFail("rule-fail", engineapi.Validation, "message fail"),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
failurePolicy: kyvernov1.Fail,
|
||||||
|
log: logr.Discard(),
|
||||||
|
},
|
||||||
|
want: false,
|
||||||
|
}, {
|
||||||
|
name: "error - fail",
|
||||||
|
args: args{
|
||||||
|
engineResponses: []engineapi.EngineResponse{
|
||||||
|
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||||
|
Rules: []engineapi.RuleResponse{
|
||||||
|
*engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
failurePolicy: kyvernov1.Fail,
|
||||||
|
log: logr.Discard(),
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
}, {
|
||||||
|
name: "error - ignore",
|
||||||
|
args: args{
|
||||||
|
engineResponses: []engineapi.EngineResponse{
|
||||||
|
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||||
|
Rules: []engineapi.RuleResponse{
|
||||||
|
*engineapi.RuleError("rule-error", engineapi.Validation, "message error", nil),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
failurePolicy: kyvernov1.Ignore,
|
||||||
|
log: logr.Discard(),
|
||||||
|
},
|
||||||
|
want: false,
|
||||||
|
}, {
|
||||||
|
name: "warning - ignore",
|
||||||
|
args: args{
|
||||||
|
engineResponses: []engineapi.EngineResponse{
|
||||||
|
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||||
|
Rules: []engineapi.RuleResponse{
|
||||||
|
*engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
failurePolicy: kyvernov1.Ignore,
|
||||||
|
log: logr.Discard(),
|
||||||
|
},
|
||||||
|
want: false,
|
||||||
|
}, {
|
||||||
|
name: "warning - fail",
|
||||||
|
args: args{
|
||||||
|
engineResponses: []engineapi.EngineResponse{
|
||||||
|
engineapi.NewEngineResponse(resource, auditRule, nil).WithPolicyResponse(engineapi.PolicyResponse{
|
||||||
|
Rules: []engineapi.RuleResponse{
|
||||||
|
*engineapi.NewRuleResponse("rule-warning", engineapi.Validation, "message warning", engineapi.RuleStatusWarn),
|
||||||
|
},
|
||||||
|
}),
|
||||||
|
},
|
||||||
|
failurePolicy: kyvernov1.Fail,
|
||||||
|
log: logr.Discard(),
|
||||||
|
},
|
||||||
|
want: false,
|
||||||
}}
|
}}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
|
Loading…
Add table
Reference in a new issue