Merge branch 'main' into fix_generate_matching_pattern

.github/workflows/clean-stale-branches.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cleanup Stale Branches
-        uses: cbrgm/cleanup-stale-branches-action@af96333d4b82de4b00ea2305610a0e3a3da82392 # v1.1.16
+        uses: cbrgm/cleanup-stale-branches-action@6a9aa7a9b01c30ea7cd3af72a9a16b9ba80e51fb # v1.1.17
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}

.github/workflows/conformance.yaml

@@ -128,7 +128,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -197,7 +197,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -271,7 +271,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -340,7 +340,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -413,7 +413,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -489,7 +489,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -564,7 +564,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -643,7 +643,7 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster and setup Sigstore Scaffolding
         uses: sigstore/scaffolding/actions/setup@fb8d1817d2571303daf88f49d3a23daeb7474e84
@@ -733,7 +733,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
@@ -842,7 +842,7 @@ jobs:
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       - name: Download kyverno CLI archive
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
@@ -967,7 +967,7 @@ jobs:
         with:
           name: kubectl-kyverno
       - name: Install chainsaw
-        uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4
+        uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5
       # create cluster
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0

.goreleaser.yml

@@ -6,7 +6,10 @@ before:
 
 builds:
 - id: kyverno-cli
-  main: cmd/cli/kubectl-kyverno/main.go
+  # As mentioned in https://github.com/golang/go/issues/51831, to include build info, we should use go build <package>
+  # instead of go build main.go here.
+  # see https://goreleaser.com/customization/builds/
+  main: ./cmd/cli/kubectl-kyverno
   binary: kyverno
   env:
   - CGO_ENABLED=0

api/kyverno/v1/common_types.go

@@ -53,7 +53,20 @@ const (
 
 // WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
 type WebhookConfiguration struct {
+	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+	// Rules within the same policy share the same failure behavior.
+	// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
+
+	// TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" yaml:"timeoutSeconds,omitempty"`
+
 	// MatchCondition configures admission webhook matchConditions.
+	// Requires Kubernetes 1.27 or later.
 	// +optional
 	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
 }

api/kyverno/v1/spec_types.go

@@ -60,11 +60,7 @@ type Spec struct {
 	// +optional
 	ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
 
-	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
-	// Rules within the same policy share the same failure behavior.
-	// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
-	// Allowed values are Ignore or Fail. Defaults to Fail.
-	// +optional
+	// Deprecated, use failurePolicy under the webhookConfiguration instead.
 	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
 
 	// ValidationFailureAction defines if a validation policy rule violation should block
@@ -97,9 +93,7 @@ type Spec struct {
 	// Deprecated.
 	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
 
-	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
-	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
-	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+	// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
 	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
 
 	// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
@@ -121,13 +115,12 @@ type Spec struct {
 	UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
 
 	// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
-	// Requires Kubernetes 1.27 or later.
 	// +optional
 	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
 }
 
-func (s *Spec) CustomWebhookConfiguration() bool {
-	return s.WebhookConfiguration != nil
+func (s *Spec) CustomWebhookMatchConditions() bool {
+	return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
 }
 
 func (s *Spec) SetRules(rules []Rule) {
@@ -274,10 +267,22 @@ func (s *Spec) IsGenerateExisting() bool {
 func (s *Spec) GetFailurePolicy(ctx context.Context) FailurePolicyType {
 	if toggle.FromContext(ctx).ForceFailurePolicyIgnore() {
 		return Ignore
-	} else if s.FailurePolicy == nil {
-		return Fail
+	} else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		return *s.WebhookConfiguration.FailurePolicy
+	} else if s.FailurePolicy != nil {
+		return *s.FailurePolicy
+	}
+	return Fail
+}
+
+func (s *Spec) GetWebhookTimeoutSeconds() *int32 {
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		return s.WebhookConfiguration.TimeoutSeconds
+	}
+	if s.WebhookTimeoutSeconds != nil {
+		return s.WebhookTimeoutSeconds
 	}
-	return *s.FailurePolicy
+	return nil
 }
 
 // GetMatchConditions returns matchConditions in webhookConfiguration
@@ -288,7 +293,7 @@ func (s *Spec) GetMatchConditions() []admissionregistrationv1.MatchCondition {
 	return nil
 }
 
-// GetFailurePolicy returns the failure policy to be applied
+// GetApplyRules returns the apply rules type
 func (s *Spec) GetApplyRules() ApplyRulesType {
 	if s.ApplyRules == nil {
 		return ApplyAll
@@ -320,6 +325,14 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
 }
 
 func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
+	if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead"))
+	}
+
+	if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
+	}
+
 	for _, rule := range s.Rules {
 		if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil {
 			if s.GenerateExistingOnPolicyUpdate != nil {
@@ -364,6 +377,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin
 	if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) {
 		errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
 	}
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) {
+		errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
 	errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
 	if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
 		errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))

api/kyverno/v2/policy_exception_types.go

@@ -101,6 +101,11 @@ func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)
 	for i, e := range p.Exceptions {
 		errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
 	}
+
+	podSecuityPath := path.Child("podSecurity")
+	for i, p := range p.PodSecurity {
+		errs = append(errs, p.Validate(podSecuityPath.Index(i))...)
+	}
 	return errs
 }
 

api/kyverno/v2beta1/common_types.go

@@ -2,18 +2,10 @@ package v2beta1
 
 import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
-// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
-type WebhookConfiguration struct {
-	// MatchCondition configures admission webhook matchConditions.
-	// +optional
-	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
-}
-
 // Validation defines checks to be performed on matching resources.
 type Validation struct {
 	// Message specifies a custom message to be displayed on failure.

api/kyverno/v2beta1/spec_types.go

@@ -1,9 +1,11 @@
 package v2beta1
 
 import (
+	"context"
 	"fmt"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -21,10 +23,7 @@ type Spec struct {
 	// +optional
 	ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
 
-	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
-	// Rules within the same policy share the same failure behavior.
-	// Allowed values are Ignore or Fail. Defaults to Fail.
-	// +optional
+	// Deprecated, use failurePolicy under the webhookConfiguration instead.
 	FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
 
 	// ValidationFailureAction defines if a validation policy rule violation should block
@@ -57,9 +56,7 @@ type Spec struct {
 	// Deprecated.
 	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
 
-	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
-	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
-	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+	// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
 	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
 
 	// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
@@ -80,13 +77,12 @@ type Spec struct {
 	UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
 
 	// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
-	// Requires Kubernetes 1.27 or later.
 	// +optional
-	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
+	WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
 }
 
-func (s *Spec) CustomWebhookConfiguration() bool {
-	return s.WebhookConfiguration != nil
+func (s *Spec) CustomWebhookMatchConditions() bool {
+	return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
 }
 
 func (s *Spec) SetRules(rules []Rule) {
@@ -237,14 +233,28 @@ func (s *Spec) IsGenerateExisting() bool {
 }
 
 // GetFailurePolicy returns the failure policy to be applied
-func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType {
-	if s.FailurePolicy == nil {
-		return kyvernov1.Fail
+func (s *Spec) GetFailurePolicy(ctx context.Context) kyvernov1.FailurePolicyType {
+	if toggle.FromContext(ctx).ForceFailurePolicyIgnore() {
+		return kyvernov1.Ignore
+	} else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		return *s.WebhookConfiguration.FailurePolicy
+	} else if s.FailurePolicy != nil {
+		return *s.FailurePolicy
 	}
-	return *s.FailurePolicy
+	return kyvernov1.Fail
 }
 
-// GetFailurePolicy returns the failure policy to be applied
+func (s *Spec) GetWebhookTimeoutSeconds() *int32 {
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		return s.WebhookConfiguration.TimeoutSeconds
+	}
+	if s.WebhookTimeoutSeconds != nil {
+		return s.WebhookTimeoutSeconds
+	}
+	return nil
+}
+
+// GetApplyRules returns the apply rules type
 func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType {
 	if s.ApplyRules == nil {
 		return kyvernov1.ApplyAll
@@ -275,6 +285,14 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
 }
 
 func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
+	if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead"))
+	}
+
+	if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
+	}
+
 	for _, rule := range s.Rules {
 		if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil {
 			if s.GenerateExistingOnPolicyUpdate != nil {
@@ -302,6 +320,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin
 	if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) {
 		errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
 	}
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) {
+		errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
 	errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
 	if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
 		errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))