From 692014f21c8eda0057d6d8319fe942059289bce4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jun 2024 11:17:19 +0000 Subject: [PATCH 01/10] chore(deps): bump github.com/fluxcd/pkg/oci from 0.37.1 to 0.38.0 (#10512) Bumps [github.com/fluxcd/pkg/oci](https://github.com/fluxcd/pkg) from 0.37.1 to 0.38.0. - [Commits](https://github.com/fluxcd/pkg/compare/oci/v0.37.1...oci/v0.38.0) --- updated-dependencies: - dependency-name: github.com/fluxcd/pkg/oci dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 015d768f0acd..5d13bc98adda 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/distribution/reference v0.6.0 github.com/evanphx/json-patch/v5 v5.9.0 github.com/fatih/color v1.17.0 - github.com/fluxcd/pkg/oci v0.37.1 + github.com/fluxcd/pkg/oci v0.38.0 github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 github.com/go-git/go-billy/v5 v5.5.0 github.com/go-git/go-git/v5 v5.12.0 diff --git a/go.sum b/go.sum index 6e51f0ebbd86..b4cad0f32448 100644 --- a/go.sum +++ b/go.sum @@ -314,8 +314,8 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/fluxcd/pkg/oci v0.37.1 h1:p4rfCHZlBWL+Q5Xey51iiBRmoje0IevCBT0/r8iae3M= -github.com/fluxcd/pkg/oci v0.37.1/go.mod h1:LrVuX6VACenJ5ycQJxec+I7YJegCsE4nzRUV+6RuxcY= +github.com/fluxcd/pkg/oci v0.38.0 h1:a9pCdqiUPZ7YOnYDXVXCxELBU0r6xbDnGv4C6YUz7vU= +github.com/fluxcd/pkg/oci v0.38.0/go.mod h1:mYVSxnpVutRmWu6mpwxm7hXFn6qdhLEjspL04ej/WZU= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= From abe2a2310b0ddc8e6ef04d8f92eae83986a3a1b3 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 20 Jun 2024 20:04:37 +0700 Subject: [PATCH 02/10] feat: migrate webhookTimeoutSeconds and failurePolicy (#10515) * feat: migrate webhookTimeoutSeconds and failurePolicy Signed-off-by: Mariam Fahmy * fix lint issue Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy --- api/kyverno/v1/common_types.go | 13 ++ api/kyverno/v1/spec_types.go | 42 +++-- api/kyverno/v1/zz_generated.deepcopy.go | 10 ++ api/kyverno/v2beta1/common_types.go | 8 - api/kyverno/v2beta1/spec_types.go | 49 ++++-- api/kyverno/v2beta1/zz_generated.deepcopy.go | 23 +-- .../kyverno.io_clusterpolicies.yaml | 77 ++++++--- .../kyverno.io/kyverno.io_policies.yaml | 77 ++++++--- .../data/crds/kyverno.io_clusterpolicies.yaml | 77 ++++++--- .../data/crds/kyverno.io_policies.yaml | 77 ++++++--- .../kyverno/kyverno.io_clusterpolicies.yaml | 77 ++++++--- config/crds/kyverno/kyverno.io_policies.yaml | 77 ++++++--- config/install-latest-testing.yaml | 154 ++++++++++++------ docs/user/crd/index.html | 152 +++++++---------- docs/user/crd/kyverno.v1.html | 111 +++++++++---- docs/user/crd/kyverno.v2beta1.html | 108 ++---------- .../kyverno/v1/webhookconfiguration.go | 25 ++- .../kyverno/v2beta1/spec.go | 4 +- pkg/client/applyconfigurations/utils.go | 2 - pkg/controllers/webhook/controller.go | 7 +- 20 files changed, 688 insertions(+), 482 deletions(-) diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 320eb5e9fcda..dc51fac3381c 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -53,7 +53,20 @@ const ( // WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration. type WebhookConfiguration struct { + // FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + // Rules within the same policy share the same failure behavior. + // This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + // Allowed values are Ignore or Fail. Defaults to Fail. + // +optional + FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` + + // TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + // After the configured time expires, the admission request may fail, or may simply ignore the policy results, + // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" yaml:"timeoutSeconds,omitempty"` + // MatchCondition configures admission webhook matchConditions. + // Requires Kubernetes 1.27 or later. // +optional MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"` } diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 609be70b1d4d..b2e87215ddfe 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -60,11 +60,7 @@ type Spec struct { // +optional ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"` - // FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - // Rules within the same policy share the same failure behavior. - // This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - // Allowed values are Ignore or Fail. Defaults to Fail. - // +optional + // Deprecated, use failurePolicy under the webhookConfiguration instead. FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` // ValidationFailureAction defines if a validation policy rule violation should block @@ -97,9 +93,7 @@ type Spec struct { // Deprecated. SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"` - // WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - // After the configured time expires, the admission request may fail, or may simply ignore the policy results, - // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + // Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead. WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"` // Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead @@ -121,7 +115,6 @@ type Spec struct { UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"` // WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - // Requires Kubernetes 1.27 or later. // +optional WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` } @@ -274,10 +267,22 @@ func (s *Spec) IsGenerateExisting() bool { func (s *Spec) GetFailurePolicy(ctx context.Context) FailurePolicyType { if toggle.FromContext(ctx).ForceFailurePolicyIgnore() { return Ignore - } else if s.FailurePolicy == nil { - return Fail + } else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil { + return *s.WebhookConfiguration.FailurePolicy + } else if s.FailurePolicy != nil { + return *s.FailurePolicy + } + return Fail +} + +func (s *Spec) GetWebhookTimeoutSeconds() *int32 { + if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil { + return s.WebhookConfiguration.TimeoutSeconds + } + if s.WebhookTimeoutSeconds != nil { + return s.WebhookTimeoutSeconds } - return *s.FailurePolicy + return nil } // GetMatchConditions returns matchConditions in webhookConfiguration @@ -288,7 +293,7 @@ func (s *Spec) GetMatchConditions() []admissionregistrationv1.MatchCondition { return nil } -// GetFailurePolicy returns the failure policy to be applied +// GetApplyRules returns the apply rules type func (s *Spec) GetApplyRules() ApplyRulesType { if s.ApplyRules == nil { return ApplyAll @@ -320,6 +325,14 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace } func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) { + if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil { + errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead")) + } + + if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil { + errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) + } + for _, rule := range s.Rules { if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { if s.GenerateExistingOnPolicyUpdate != nil { @@ -364,6 +377,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) { errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds")) } + if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) { + errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds")) + } errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...) if namespaced && len(s.ValidationFailureActionOverrides) > 0 { errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy")) diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 84e6eff37651..dc9358f5cd61 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1690,6 +1690,16 @@ func (in *Variable) DeepCopy() *Variable { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { *out = *in + if in.FailurePolicy != nil { + in, out := &in.FailurePolicy, &out.FailurePolicy + *out = new(FailurePolicyType) + **out = **in + } + if in.TimeoutSeconds != nil { + in, out := &in.TimeoutSeconds, &out.TimeoutSeconds + *out = new(int32) + **out = **in + } if in.MatchConditions != nil { in, out := &in.MatchConditions, &out.MatchConditions *out = make([]admissionregistrationv1.MatchCondition, len(*in)) diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go index d3ae3b5037a4..4dc822afd82e 100644 --- a/api/kyverno/v2beta1/common_types.go +++ b/api/kyverno/v2beta1/common_types.go @@ -2,18 +2,10 @@ package v2beta1 import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions" apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" ) -// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration. -type WebhookConfiguration struct { - // MatchCondition configures admission webhook matchConditions. - // +optional - MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"` -} - // Validation defines checks to be performed on matching resources. type Validation struct { // Message specifies a custom message to be displayed on failure. diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index d647d618a041..b0a5e713a05c 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -1,9 +1,11 @@ package v2beta1 import ( + "context" "fmt" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/toggle" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" ) @@ -21,10 +23,7 @@ type Spec struct { // +optional ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"` - // FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - // Rules within the same policy share the same failure behavior. - // Allowed values are Ignore or Fail. Defaults to Fail. - // +optional + // Deprecated, use failurePolicy under the webhookConfiguration instead. FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` // ValidationFailureAction defines if a validation policy rule violation should block @@ -57,9 +56,7 @@ type Spec struct { // Deprecated. SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"` - // WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - // After the configured time expires, the admission request may fail, or may simply ignore the policy results, - // based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + // Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead. WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"` // Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead @@ -80,9 +77,8 @@ type Spec struct { UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"` // WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - // Requires Kubernetes 1.27 or later. // +optional - WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` + WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` } func (s *Spec) CustomWebhookConfiguration() bool { @@ -237,14 +233,28 @@ func (s *Spec) IsGenerateExisting() bool { } // GetFailurePolicy returns the failure policy to be applied -func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType { - if s.FailurePolicy == nil { - return kyvernov1.Fail +func (s *Spec) GetFailurePolicy(ctx context.Context) kyvernov1.FailurePolicyType { + if toggle.FromContext(ctx).ForceFailurePolicyIgnore() { + return kyvernov1.Ignore + } else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil { + return *s.WebhookConfiguration.FailurePolicy + } else if s.FailurePolicy != nil { + return *s.FailurePolicy } - return *s.FailurePolicy + return kyvernov1.Fail } -// GetFailurePolicy returns the failure policy to be applied +func (s *Spec) GetWebhookTimeoutSeconds() *int32 { + if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil { + return s.WebhookConfiguration.TimeoutSeconds + } + if s.WebhookTimeoutSeconds != nil { + return s.WebhookTimeoutSeconds + } + return nil +} + +// GetApplyRules returns the apply rules type func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType { if s.ApplyRules == nil { return kyvernov1.ApplyAll @@ -275,6 +285,14 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace } func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) { + if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil { + errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead")) + } + + if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil { + errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead")) + } + for _, rule := range s.Rules { if rule.HasGenerate() && rule.Generation.IsGenerateExisting() != nil { if s.GenerateExistingOnPolicyUpdate != nil { @@ -302,6 +320,9 @@ func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace strin if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) { errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds")) } + if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) { + errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds")) + } errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...) if namespaced && len(s.ValidationFailureActionOverrides) > 0 { errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy")) diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go index f1ae0b0da5f7..485c3f3f3ed2 100755 --- a/api/kyverno/v2beta1/zz_generated.deepcopy.go +++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go @@ -812,7 +812,7 @@ func (in *Spec) DeepCopyInto(out *Spec) { } if in.WebhookConfiguration != nil { in, out := &in.WebhookConfiguration, &out.WebhookConfiguration - *out = new(WebhookConfiguration) + *out = new(v1.WebhookConfiguration) (*in).DeepCopyInto(*out) } return @@ -880,24 +880,3 @@ func (in *Validation) DeepCopy() *Validation { in.DeepCopyInto(out) return out } - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) { - *out = *in - if in.MatchConditions != nil { - in, out := &in.MatchConditions, &out.MatchConditions - *out = make([]admissionregistrationv1.MatchCondition, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration. -func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration { - if in == nil { - return nil - } - out := new(WebhookConfiguration) - in.DeepCopyInto(out) - return out -} diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml index 518a7af40a6b..46eed8160e90 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml @@ -113,11 +113,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -4297,12 +4294,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -4343,12 +4351,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -8696,10 +8709,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -12620,12 +12631,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -12666,12 +12688,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml index 9c34e96c084c..142dac35326f 100644 --- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml +++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml @@ -114,11 +114,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -4298,12 +4295,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -4344,12 +4352,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -8699,10 +8712,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -12623,12 +12634,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -12669,12 +12691,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 6488cdeb5516..04a09d121225 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -107,11 +107,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -4291,12 +4288,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -4337,12 +4345,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -8690,10 +8703,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -12614,12 +12625,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -12660,12 +12682,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index b7311c7079f6..3135e1e5a72b 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -108,11 +108,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -4292,12 +4289,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -4338,12 +4346,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -8693,10 +8706,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -12617,12 +12628,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -12663,12 +12685,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml index 6488cdeb5516..04a09d121225 100644 --- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml @@ -107,11 +107,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -4291,12 +4288,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -4337,12 +4345,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -8690,10 +8703,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -12614,12 +12625,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -12660,12 +12682,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml index b7311c7079f6..3135e1e5a72b 100644 --- a/config/crds/kyverno/kyverno.io_policies.yaml +++ b/config/crds/kyverno/kyverno.io_policies.yaml @@ -108,11 +108,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -4292,12 +4289,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -4338,12 +4346,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -8693,10 +8706,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -12617,12 +12628,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -12663,12 +12685,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 0b60a9ea3b23..c572659c6033 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -5314,11 +5314,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -9498,12 +9495,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -9544,12 +9552,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -13897,10 +13910,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -17821,12 +17832,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -17867,12 +17889,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -22502,11 +22529,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - This field should not be accessed directly, instead `GetFailurePolicy()` should be used. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -26686,12 +26710,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -26732,12 +26767,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object @@ -31087,10 +31127,8 @@ spec: uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: |- - FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. - Rules within the same policy share the same failure behavior. - Allowed values are Ignore or Fail. Defaults to Fail. + description: Deprecated, use failurePolicy under the webhookConfiguration + instead. enum: - Ignore - Fail @@ -35011,12 +35049,23 @@ spec: type: object type: array webhookConfiguration: - description: |- - WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. - Requires Kubernetes 1.27 or later. + description: WebhookConfiguration specifies the custom configuration + for Kubernetes admission webhookconfiguration. properties: + failurePolicy: + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string matchConditions: - description: MatchCondition configures admission webhook matchConditions. + description: |- + MatchCondition configures admission webhook matchConditions. + Requires Kubernetes 1.27 or later. items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. @@ -35057,12 +35106,17 @@ spec: - name type: object type: array + timeoutSeconds: + description: |- + TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + format: int32 + type: integer type: object webhookTimeoutSeconds: - description: |- - WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. - After the configured time expires, the admission request may fail, or may simply ignore the policy results, - based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. + description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration + instead. format: int32 type: integer type: object diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index f68ed86ea3a4..a5f3f3f37e08 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -147,11 +147,7 @@

ClusterPolicy -(Optional) -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -This field should not be accessed directly, instead GetFailurePolicy() should be used. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -232,9 +228,7 @@

ClusterPolicy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -298,8 +292,7 @@

ClusterPolicy (Optional) -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -422,11 +415,7 @@

Policy -(Optional) -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -This field should not be accessed directly, instead GetFailurePolicy() should be used. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -507,9 +496,7 @@

Policy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -573,8 +560,7 @@

Policy (Optional) -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -1631,6 +1617,7 @@

FailurePolicyType

(Appears on: Spec, +WebhookConfiguration, Spec)

@@ -3951,11 +3938,7 @@

Spec -(Optional) -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -This field should not be accessed directly, instead GetFailurePolicy() should be used. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -4036,9 +4019,7 @@

Spec -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -4102,8 +4083,7 @@

Spec (Optional) -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -4641,7 +4621,8 @@

WebhookConfiguration

(Appears on: -Spec) +Spec, +Spec)

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

@@ -4656,6 +4637,36 @@

WebhookConfiguration +failurePolicy
+ + +FailurePolicyType + + + + +(Optional) +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +This field should not be accessed directly, instead GetFailurePolicy() should be used. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + +timeoutSeconds
+ +int32 + + + +

TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + matchConditions
@@ -4665,7 +4676,8 @@

WebhookConfiguration (Optional) -

MatchCondition configures admission webhook matchConditions.

+

MatchCondition configures admission webhook matchConditions. +Requires Kubernetes 1.27 or later.

@@ -7350,10 +7362,7 @@

ClusterPolicy -(Optional) -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -7434,9 +7443,7 @@

ClusterPolicy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -7492,15 +7499,14 @@

ClusterPolicy webhookConfiguration
- + WebhookConfiguration (Optional) -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -7623,10 +7629,7 @@

Policy -(Optional) -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -7707,9 +7710,7 @@

Policy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -7765,15 +7766,14 @@

Policy webhookConfiguration
- + WebhookConfiguration (Optional) -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -9016,10 +9016,7 @@

Spec -(Optional) -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -9100,9 +9097,7 @@

Spec -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -9158,15 +9153,14 @@

Spec webhookConfiguration
- + WebhookConfiguration (Optional) -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -9304,40 +9298,6 @@

Validation
-

WebhookConfiguration -

-

-(Appears on: -Spec) -

-

-

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

-

- - - - - - - - - - - - - -
FieldDescription
-matchConditions
- - -[]Kubernetes admissionregistration/v1.MatchCondition - - -		 -(Optional) -

MatchCondition configures admission webhook matchConditions.

-
-

reports.kyverno.io/v1

diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html index d8ada41012a2..631834871420 100644 --- a/docs/user/crd/kyverno.v1.html +++ b/docs/user/crd/kyverno.v1.html @@ -204,6 +204,8 @@

ClusterPolicy failurePolicy + * +
@@ -218,10 +220,7 @@

ClusterPolicy -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -This field should not be accessed directly, instead GetFailurePolicy() should be used. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -398,9 +397,7 @@

ClusterPolicy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -539,8 +536,7 @@

ClusterPolicy -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -765,6 +761,8 @@

Policy failurePolicy + * +
@@ -779,10 +777,7 @@

Policy -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -This field should not be accessed directly, instead GetFailurePolicy() should be used. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -959,9 +954,7 @@

Policy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -1100,8 +1093,7 @@

Policy -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -3310,7 +3302,8 @@

FailurePolicyType

(Appears in: - Spec) + Spec, + WebhookConfiguration)

@@ -7803,6 +7796,8 @@

Spec failurePolicy + * +
@@ -7817,10 +7812,7 @@

Spec -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -This field should not be accessed directly, instead GetFailurePolicy() should be used. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -7997,9 +7989,7 @@

Spec -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -8138,8 +8128,7 @@

Spec -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -9271,6 +9260,69 @@

WebhookConfiguration + + failurePolicy + +
+ + + + + + FailurePolicyType + + + + + + + +

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. +Rules within the same policy share the same failure behavior. +This field should not be accessed directly, instead GetFailurePolicy() should be used. +Allowed values are Ignore or Fail. Defaults to Fail.

+ + + + + + + + + + + + + timeoutSeconds + + * + +
+ + + + + int32 + + + + + + +

TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. +After the configured time expires, the admission request may fail, or may simply ignore the policy results, +based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+ + + + + + + + + + + matchConditions @@ -9286,7 +9338,8 @@

WebhookConfiguration -

MatchCondition configures admission webhook matchConditions.

+

MatchCondition configures admission webhook matchConditions. +Requires Kubernetes 1.27 or later.

diff --git a/docs/user/crd/kyverno.v2beta1.html b/docs/user/crd/kyverno.v2beta1.html index 1b24b59f2eff..3b3b3efb82bb 100644 --- a/docs/user/crd/kyverno.v2beta1.html +++ b/docs/user/crd/kyverno.v2beta1.html @@ -804,6 +804,8 @@

ClusterPolicy failurePolicy + * +
@@ -818,9 +820,7 @@

ClusterPolicy -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -997,9 +997,7 @@

ClusterPolicy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -1131,7 +1129,7 @@

ClusterPolicy - + WebhookConfiguration @@ -1140,8 +1138,7 @@

ClusterPolicy -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -1366,6 +1363,8 @@

Policy failurePolicy + * +
@@ -1380,9 +1379,7 @@

Policy -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -1559,9 +1556,7 @@

Policy -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -1693,7 +1688,7 @@

Policy - + WebhookConfiguration @@ -1702,8 +1697,7 @@

Policy -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -4140,6 +4134,8 @@

Spec failurePolicy + * +
@@ -4154,9 +4150,7 @@

Spec -

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail.

+

Deprecated, use failurePolicy under the webhookConfiguration instead.

@@ -4333,9 +4327,7 @@

Spec -

WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

+

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

@@ -4467,7 +4459,7 @@

Spec - + WebhookConfiguration @@ -4476,8 +4468,7 @@

Spec -

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration. -Requires Kubernetes 1.27 or later.

+

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

@@ -4753,69 +4744,6 @@

Validation - - - - -

WebhookConfiguration -

- - -

- (Appears in: - Spec) -

- - -

WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.

-

- - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldDescription
matchConditions - -
- - - - - []admissionregistration/v1.MatchCondition - - - 		- - -

MatchCondition configures admission webhook matchConditions.

- - - - - -
diff --git a/pkg/client/applyconfigurations/kyverno/v1/webhookconfiguration.go b/pkg/client/applyconfigurations/kyverno/v1/webhookconfiguration.go index fdcd61b38e61..7fb66cbf171e 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/webhookconfiguration.go +++ b/pkg/client/applyconfigurations/kyverno/v1/webhookconfiguration.go @@ -19,13 +19,16 @@ limitations under the License. package v1 import ( - v1 "k8s.io/api/admissionregistration/v1" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" ) // WebhookConfigurationApplyConfiguration represents an declarative configuration of the WebhookConfiguration type for use // with apply. type WebhookConfigurationApplyConfiguration struct { - MatchConditions []v1.MatchCondition `json:"matchConditions,omitempty"` + FailurePolicy *v1.FailurePolicyType `json:"failurePolicy,omitempty"` + TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"` + MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"` } // WebhookConfigurationApplyConfiguration constructs an declarative configuration of the WebhookConfiguration type for use with @@ -34,10 +37,26 @@ func WebhookConfiguration() *WebhookConfigurationApplyConfiguration { return &WebhookConfigurationApplyConfiguration{} } +// WithFailurePolicy sets the FailurePolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FailurePolicy field is set to the value of the last call. +func (b *WebhookConfigurationApplyConfiguration) WithFailurePolicy(value v1.FailurePolicyType) *WebhookConfigurationApplyConfiguration { + b.FailurePolicy = &value + return b +} + +// WithTimeoutSeconds sets the TimeoutSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TimeoutSeconds field is set to the value of the last call. +func (b *WebhookConfigurationApplyConfiguration) WithTimeoutSeconds(value int32) *WebhookConfigurationApplyConfiguration { + b.TimeoutSeconds = &value + return b +} + // WithMatchConditions adds the given value to the MatchConditions field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the MatchConditions field. -func (b *WebhookConfigurationApplyConfiguration) WithMatchConditions(values ...v1.MatchCondition) *WebhookConfigurationApplyConfiguration { +func (b *WebhookConfigurationApplyConfiguration) WithMatchConditions(values ...admissionregistrationv1.MatchCondition) *WebhookConfigurationApplyConfiguration { for i := range values { b.MatchConditions = append(b.MatchConditions, values[i]) } diff --git a/pkg/client/applyconfigurations/kyverno/v2beta1/spec.go b/pkg/client/applyconfigurations/kyverno/v2beta1/spec.go index 1fad94bcb479..558f8ea4edd1 100644 --- a/pkg/client/applyconfigurations/kyverno/v2beta1/spec.go +++ b/pkg/client/applyconfigurations/kyverno/v2beta1/spec.go @@ -39,7 +39,7 @@ type SpecApplyConfiguration struct { GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty"` GenerateExisting *bool `json:"generateExisting,omitempty"` UseServerSideApply *bool `json:"useServerSideApply,omitempty"` - WebhookConfiguration *WebhookConfigurationApplyConfiguration `json:"webhookConfiguration,omitempty"` + WebhookConfiguration *kyvernov1.WebhookConfigurationApplyConfiguration `json:"webhookConfiguration,omitempty"` } // SpecApplyConfiguration constructs an declarative configuration of the Spec type for use with @@ -165,7 +165,7 @@ func (b *SpecApplyConfiguration) WithUseServerSideApply(value bool) *SpecApplyCo // WithWebhookConfiguration sets the WebhookConfiguration field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the WebhookConfiguration field is set to the value of the last call. -func (b *SpecApplyConfiguration) WithWebhookConfiguration(value *WebhookConfigurationApplyConfiguration) *SpecApplyConfiguration { +func (b *SpecApplyConfiguration) WithWebhookConfiguration(value *kyvernov1.WebhookConfigurationApplyConfiguration) *SpecApplyConfiguration { b.WebhookConfiguration = value return b } diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go index 8b9cd6b83e07..ac57bb438d7d 100644 --- a/pkg/client/applyconfigurations/utils.go +++ b/pkg/client/applyconfigurations/utils.go @@ -243,8 +243,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &kyvernov2beta1.SpecApplyConfiguration{} case v2beta1.SchemeGroupVersion.WithKind("Validation"): return &kyvernov2beta1.ValidationApplyConfiguration{} - case v2beta1.SchemeGroupVersion.WithKind("WebhookConfiguration"): - return &kyvernov2beta1.WebhookConfigurationApplyConfiguration{} // Group=reports.kyverno.io, Version=v1 case reportsv1.SchemeGroupVersion.WithKind("ClusterEphemeralReport"): diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index 206fb52bf197..38da70e4aa15 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -1030,9 +1030,10 @@ func (c *controller) mergeWebhook(dst *webhook, policy kyvernov1.PolicyInterface } spec := policy.GetSpec() - if spec.WebhookTimeoutSeconds != nil { - if dst.maxWebhookTimeout < *spec.WebhookTimeoutSeconds { - dst.maxWebhookTimeout = *spec.WebhookTimeoutSeconds + webhookTimeoutSeconds := spec.GetWebhookTimeoutSeconds() + if webhookTimeoutSeconds != nil { + if dst.maxWebhookTimeout < *webhookTimeoutSeconds { + dst.maxWebhookTimeout = *webhookTimeoutSeconds } } } From 6e92066ac74b6153d3962f9d7c3210f886ea6fdc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 07:50:43 +0000 Subject: [PATCH 03/10] chore(deps): bump cbrgm/cleanup-stale-branches-action (#10524) Bumps [cbrgm/cleanup-stale-branches-action](https://github.com/cbrgm/cleanup-stale-branches-action) from 1.1.16 to 1.1.17. - [Release notes](https://github.com/cbrgm/cleanup-stale-branches-action/releases) - [Commits](https://github.com/cbrgm/cleanup-stale-branches-action/compare/af96333d4b82de4b00ea2305610a0e3a3da82392...6a9aa7a9b01c30ea7cd3af72a9a16b9ba80e51fb) --- updated-dependencies: - dependency-name: cbrgm/cleanup-stale-branches-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/clean-stale-branches.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/clean-stale-branches.yaml b/.github/workflows/clean-stale-branches.yaml index c93db5324a05..356bf3ff1f57 100644 --- a/.github/workflows/clean-stale-branches.yaml +++ b/.github/workflows/clean-stale-branches.yaml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Cleanup Stale Branches - uses: cbrgm/cleanup-stale-branches-action@af96333d4b82de4b00ea2305610a0e3a3da82392 # v1.1.16 + uses: cbrgm/cleanup-stale-branches-action@6a9aa7a9b01c30ea7cd3af72a9a16b9ba80e51fb # v1.1.17 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.repository }} From 585aff0aca7587e9cd6e02d32d365b05f6b5aaf2 Mon Sep 17 00:00:00 2001 From: Yukun Wang Date: Mon, 24 Jun 2024 19:15:39 +0800 Subject: [PATCH 04/10] include time and hash in build info (#10474) Signed-off-by: airycanon --- .goreleaser.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.goreleaser.yml b/.goreleaser.yml index 1507aa081421..90aa933d4f69 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -6,7 +6,10 @@ before: builds: - id: kyverno-cli - main: cmd/cli/kubectl-kyverno/main.go + # As mentioned in https://github.com/golang/go/issues/51831, to include build info, we should use go build + # instead of go build main.go here. + # see https://goreleaser.com/customization/builds/ + main: ./cmd/cli/kubectl-kyverno binary: kyverno env: - CGO_ENABLED=0 From b7bf894fe9d9f602d75ad5753d540365259ffa4c Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 24 Jun 2024 18:54:57 +0700 Subject: [PATCH 05/10] chore: use v2 for exceptions in chainsaw tests (#10529) Signed-off-by: Mariam Fahmy --- .../commands/create/exception/command_test.go | 4 ++-- .../commands/create/templates/exception.yaml | 2 +- pkg/event/events.go | 2 +- pkg/validation/exception/validate_test.go | 8 ++++---- test/cli/test-exceptions/exceptions-1/exception.yaml | 2 +- test/cli/test-exceptions/exceptions-2/exception.yaml | 2 +- test/cli/test-exceptions/exceptions-3/exception.yaml | 2 +- .../apply/apply-exception-with-ns-selector/exception.yaml | 2 +- .../exceptions/allows-rejects-creation/exception.yaml | 2 +- .../chainsaw/exceptions/applies-to-delete/exception.yaml | 2 +- .../background-mode/standard/exception-allowed.yaml | 2 +- .../background-mode/standard/exception-rejected.yaml | 2 +- .../chainsaw/exceptions/conditions/exception.yaml | 2 +- .../events-creation/chainsaw-step-02-apply-2.yaml | 2 +- .../exceptions/exclude-capabilities/exception.yaml | 2 +- .../chainsaw/exceptions/exclude-host-ports/exception.yaml | 2 +- .../exception.yaml | 2 +- .../exceptions/exclude-hostpath-volume/exception.yaml | 2 +- .../exclude-privilege-escalation/exception.yaml | 2 +- .../exclude-privileged-containers/exception.yaml | 2 +- .../exclude-restricted-capabilities/exception.yaml | 2 +- .../exceptions/exclude-restricted-seccomp/exception.yaml | 2 +- .../exclude-running-as-nonroot-user/exception.yaml | 2 +- .../exceptions/exclude-running-as-nonroot/exception.yaml | 2 +- .../chainsaw/exceptions/exclude-seccomp/exception.yaml | 2 +- .../chainsaw/exceptions/exclude-selinux/exception.yaml | 2 +- .../chainsaw/exceptions/exclude-sysctls/exception.yaml | 2 +- .../exceptions/exclude-volume-types/exception.yaml | 2 +- .../exceptions/good-bad-conditions/failing-exception.yaml | 2 +- .../exceptions/good-bad-conditions/passing-exception.yaml | 2 +- .../exceptions/only-for-specific-user/exception.yaml | 2 +- .../chainsaw/exceptions/with-wildcard/exception.yaml | 2 +- .../skip-generate/cpol-with-exceptions/exception.yaml | 2 +- .../policy-exceptions-disabled/policy_exception.yaml | 2 +- .../chainsaw/reports/admission/exception/exception.yaml | 2 +- .../background/exception-with-conditions/exception.yaml | 2 +- .../background/exception-with-podsecurity/exception.yaml | 2 +- .../chainsaw/reports/background/exception/exception.yaml | 2 +- .../chainsaw-step-01-apply-1-4.yaml | 2 +- .../chainsaw-step-01-assert-1-3.yaml | 2 +- 40 files changed, 44 insertions(+), 44 deletions(-) diff --git a/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go b/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go index e177c733d97a..d4f7143a57da 100644 --- a/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go +++ b/cmd/cli/kubectl-kyverno/commands/create/exception/command_test.go @@ -40,7 +40,7 @@ func TestCommandWithAny(t *testing.T) { out, err := io.ReadAll(b) assert.NoError(t, err) expected := ` -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: test @@ -72,7 +72,7 @@ func TestCommandWithAll(t *testing.T) { out, err := io.ReadAll(b) assert.NoError(t, err) expected := ` -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: test diff --git a/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml b/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml index bdb65cc3a0f9..2e4f76188ebd 100644 --- a/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml +++ b/cmd/cli/kubectl-kyverno/commands/create/templates/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: {{ .Name }} diff --git a/pkg/event/events.go b/pkg/event/events.go index 22f69967b695..9465ba8c6d3f 100644 --- a/pkg/event/events.go +++ b/pkg/event/events.go @@ -288,7 +288,7 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp func NewCleanupPolicyEvent(policy kyvernov2beta1.CleanupPolicyInterface, resource unstructured.Unstructured, err error) Info { regarding := corev1.ObjectReference{ // TODO: iirc it's not safe to assume api version is set - APIVersion: "kyverno.io/v2beta1", + APIVersion: "kyverno.io/v2", Kind: policy.GetKind(), Name: policy.GetName(), Namespace: policy.GetNamespace(), diff --git a/pkg/validation/exception/validate_test.go b/pkg/validation/exception/validate_test.go index e10e2874031c..a55e85a64c6a 100644 --- a/pkg/validation/exception/validate_test.go +++ b/pkg/validation/exception/validate_test.go @@ -26,7 +26,7 @@ func Test_Validate(t *testing.T) { Enabled: false, Namespace: "kyverno", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 1, }, @@ -37,7 +37,7 @@ func Test_Validate(t *testing.T) { Enabled: true, Namespace: "kyverno", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 1, }, @@ -48,7 +48,7 @@ func Test_Validate(t *testing.T) { Enabled: true, Namespace: "kyverno", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 0, }, @@ -59,7 +59,7 @@ func Test_Validate(t *testing.T) { Enabled: true, Namespace: "", }, - resource: []byte(`{"apiVersion":"kyverno.io/v2beta1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, want: 0, }, diff --git a/test/cli/test-exceptions/exceptions-1/exception.yaml b/test/cli/test-exceptions/exceptions-1/exception.yaml index cdd54d013092..93dd81a83c81 100644 --- a/test/cli/test-exceptions/exceptions-1/exception.yaml +++ b/test/cli/test-exceptions/exceptions-1/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: delta-exception diff --git a/test/cli/test-exceptions/exceptions-2/exception.yaml b/test/cli/test-exceptions/exceptions-2/exception.yaml index e7a8ede127f3..4ab722cd7e3c 100644 --- a/test/cli/test-exceptions/exceptions-2/exception.yaml +++ b/test/cli/test-exceptions/exceptions-2/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: container-exception diff --git a/test/cli/test-exceptions/exceptions-3/exception.yaml b/test/cli/test-exceptions/exceptions-3/exception.yaml index b3c8ee87e552..48d534e71136 100644 --- a/test/cli/test-exceptions/exceptions-3/exception.yaml +++ b/test/cli/test-exceptions/exceptions-3/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/exception.yaml b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/exception.yaml index 0cb0d502a986..7272c3c687e4 100644 --- a/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/exception.yaml +++ b/test/conformance/chainsaw/cli/apply/apply-exception-with-ns-selector/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: exception diff --git a/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml b/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml index 3c5fd95b9b24..ae94ec83904c 100644 --- a/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml +++ b/test/conformance/chainsaw/exceptions/allows-rejects-creation/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml b/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml index a9e5e9afb7aa..f0f3347fc510 100644 --- a/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml +++ b/test/conformance/chainsaw/exceptions/applies-to-delete/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: delta-exception diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml index 8e550cc2de84..498f003c5089 100644 --- a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-allowed.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: polex-right diff --git a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml index 94845c6e40a1..4f4e2aa240fd 100644 --- a/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml +++ b/test/conformance/chainsaw/exceptions/background-mode/standard/exception-rejected.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: polex-wrong diff --git a/test/conformance/chainsaw/exceptions/conditions/exception.yaml b/test/conformance/chainsaw/exceptions/conditions/exception.yaml index e7a8ede127f3..4ab722cd7e3c 100644 --- a/test/conformance/chainsaw/exceptions/conditions/exception.yaml +++ b/test/conformance/chainsaw/exceptions/conditions/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: container-exception diff --git a/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml b/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml index 31e9e32f1de4..e51e5889384b 100755 --- a/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml +++ b/test/conformance/chainsaw/exceptions/events-creation/chainsaw-step-02-apply-2.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: policy-exception-allow-latest diff --git a/test/conformance/chainsaw/exceptions/exclude-capabilities/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-capabilities/exception.yaml index 64cc01904a70..d8f43f62626f 100644 --- a/test/conformance/chainsaw/exceptions/exclude-capabilities/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-capabilities/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-host-ports/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-host-ports/exception.yaml index 3a3aa8b00102..38563f16cc08 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-ports/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-ports/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/exception.yaml index 989c1cc74838..9cd2c51df885 100644 --- a/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-host-process-and-host-namespaces/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml index 65397c40dd98..d1ddc7b79dad 100644 --- a/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-hostpath-volume/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml index 52ced416e499..feede38bfda6 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privilege-escalation/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml index 85488ca435f8..33634cec3760 100644 --- a/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-privileged-containers/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml index 128a7df33990..ab15bdd4654c 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-capabilities/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml index 880f54a86b0e..007fda3f0777 100644 --- a/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-restricted-seccomp/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml index da3b1d1283f4..f1a7629947a4 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot-user/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml index aa3f87460d25..8d5c4446cb13 100644 --- a/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-running-as-nonroot/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml index c7780afa9739..3318fcf5313f 100644 --- a/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-seccomp/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml index ebf95b757066..bcc2cd8f7422 100644 --- a/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-selinux/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml index ed00705ef3c1..1258d46eba73 100644 --- a/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-sysctls/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml b/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml index 45b096a51211..b718809ca0d2 100644 --- a/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml +++ b/test/conformance/chainsaw/exceptions/exclude-volume-types/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml index abcebda9090b..9fd478d9f4f1 100644 --- a/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: failing-container-exception diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml index 8d3323cbaaf4..a0c3ec4a3fa9 100644 --- a/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: passing-container-exception diff --git a/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml b/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml index b5beaf8848d8..0f2efbdc1c66 100644 --- a/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml +++ b/test/conformance/chainsaw/exceptions/only-for-specific-user/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml b/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml index 9ded4a7449c6..7c5b688d46c2 100644 --- a/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml +++ b/test/conformance/chainsaw/exceptions/with-wildcard/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/exception.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/exception.yaml index 43c75ab45b09..c4e61e5378ce 100644 --- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/exception.yaml +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-with-exceptions/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: policy-exception diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml index 8b1026d3a0c1..9c8b6531f97c 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/policy-exceptions-disabled/policy_exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: label-exception diff --git a/test/conformance/chainsaw/reports/admission/exception/exception.yaml b/test/conformance/chainsaw/reports/admission/exception/exception.yaml index 3c5fd95b9b24..ae94ec83904c 100644 --- a/test/conformance/chainsaw/reports/admission/exception/exception.yaml +++ b/test/conformance/chainsaw/reports/admission/exception/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml b/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml index 87cba12d24b0..4c388896ba9b 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-conditions/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: container-exception diff --git a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml index 74a017020b0c..0fffbed031d9 100644 --- a/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml +++ b/test/conformance/chainsaw/reports/background/exception-with-podsecurity/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: pod-security-exception diff --git a/test/conformance/chainsaw/reports/background/exception/exception.yaml b/test/conformance/chainsaw/reports/background/exception/exception.yaml index 54a997c3504c..fa60bad8a9da 100644 --- a/test/conformance/chainsaw/reports/background/exception/exception.yaml +++ b/test/conformance/chainsaw/reports/background/exception/exception.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: mynewpolex diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml index f93610898536..86b6844742d5 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-apply-1-4.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: allow-scaling-nginx-test diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml index f93610898536..86b6844742d5 100755 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/bypass-with-policy-exception/chainsaw-step-01-assert-1-3.yaml @@ -1,4 +1,4 @@ -apiVersion: kyverno.io/v2beta1 +apiVersion: kyverno.io/v2 kind: PolicyException metadata: name: allow-scaling-nginx-test From e892a0531e10d8e79e57da1689706380594e8dd5 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 24 Jun 2024 20:40:50 +0700 Subject: [PATCH 06/10] chore: add tests that use spec.webhookConfiguration (#10526) * chore: add tests that use spec.webhookConfiguration Signed-off-by: Mariam Fahmy * fix chainsaw tests Signed-off-by: Mariam Fahmy --------- Signed-off-by: Mariam Fahmy --- api/kyverno/v1/spec_types.go | 4 +- api/kyverno/v2beta1/spec_types.go | 4 +- pkg/controllers/policycache/controller.go | 2 +- pkg/controllers/webhook/controller.go | 4 +- pkg/controllers/webhook/utils.go | 2 +- pkg/validation/policy/validate.go | 2 +- .../cluster-policy/fail(deprecated)/README.md | 7 +++ .../fail(deprecated)/chainsaw-test.yaml | 17 +++++++ .../fail(deprecated)/policy-assert.yaml | 19 +++++++ .../fail(deprecated)/policy.yaml | 47 ++++++++++++++++++ .../fail(deprecated)/webhooks-assert.yaml | 39 +++++++++++++++ .../cluster-policy/fail/policy.yaml | 6 ++- .../invalid-timeout(deprecated)/README.md | 7 +++ .../chainsaw-test.yaml | 19 +++++++ .../invalid-timeout(deprecated)/policy-1.yaml | 16 ++++++ .../invalid-timeout(deprecated)/policy-2.yaml | 16 ++++++ .../invalid-timeout/policy-1.yaml | 3 +- .../invalid-timeout/policy-2.yaml | 3 +- .../e2e/yaml-signing(deprecated)/README.md | 11 +++++ .../e2e/yaml-signing(deprecated)/bad.yaml | 21 ++++++++ .../chainsaw-step-02-apply-1-1.yaml | 24 +++++++++ .../chainsaw-test.yaml | 23 +++++++++ .../policy-ready.yaml | 9 ++++ .../e2e/yaml-signing(deprecated)/policy.yaml | 49 +++++++++++++++++++ .../validate/e2e/yaml-signing/policy.yaml | 5 +- .../multi-signatures(deprecated)/README.md | 10 ++++ .../chainsaw-test.yaml | 32 ++++++++++++ .../policy-assert.yaml | 9 ++++ .../multi-signatures(deprecated)/policy.yaml | 42 ++++++++++++++++ .../resource-bad-signatures.yaml | 15 ++++++ .../resource-no-signature.yaml | 11 +++++ .../resource-one-signature.yaml | 14 ++++++ .../resource-two-signatures.yaml | 15 ++++++ .../multi-signatures/policy.yaml | 7 +-- .../single-signature(deprecated)/README.md | 10 ++++ .../chainsaw-test.yaml | 29 +++++++++++ .../policy-assert.yaml | 9 ++++ .../single-signature(deprecated)/policy.yaml | 33 +++++++++++++ .../resource-bad-signatures.yaml | 15 ++++++ .../resource-no-signature.yaml | 11 +++++ .../resource-one-signature.yaml | 14 ++++++ .../resource-two-signatures.yaml | 15 ++++++ .../single-signature/policy.yaml | 7 +-- .../README.md | 11 +++++ .../bad-pod.yaml | 9 ++++ .../chainsaw-step-02-apply-1.yaml | 4 ++ .../chainsaw-test.yaml | 23 +++++++++ .../policy-ready.yaml | 9 ++++ .../policy.yaml | 37 ++++++++++++++ .../policy.yaml | 5 +- 50 files changed, 732 insertions(+), 23 deletions(-) create mode 100644 test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md create mode 100755 test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml create mode 100644 test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml create mode 100644 test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml create mode 100644 test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md create mode 100755 test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml create mode 100644 test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml create mode 100644 test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md create mode 100644 test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml create mode 100755 test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml create mode 100755 test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml create mode 100644 test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md create mode 100755 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md create mode 100755 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml create mode 100644 test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index b2e87215ddfe..e66593391233 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -119,8 +119,8 @@ type Spec struct { WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` } -func (s *Spec) CustomWebhookConfiguration() bool { - return s.WebhookConfiguration != nil +func (s *Spec) CustomWebhookMatchConditions() bool { + return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0 } func (s *Spec) SetRules(rules []Rule) { diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index b0a5e713a05c..d6e7a4eb6b46 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -81,8 +81,8 @@ type Spec struct { WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"` } -func (s *Spec) CustomWebhookConfiguration() bool { - return s.WebhookConfiguration != nil +func (s *Spec) CustomWebhookMatchConditions() bool { + return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0 } func (s *Spec) SetRules(rules []Rule) { diff --git a/pkg/controllers/policycache/controller.go b/pkg/controllers/policycache/controller.go index e65fa9297e26..f5073dff22ec 100644 --- a/pkg/controllers/policycache/controller.go +++ b/pkg/controllers/policycache/controller.go @@ -113,7 +113,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam } return err } - if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookConfiguration() { + if policy.AdmissionProcessingEnabled() && !policy.GetSpec().CustomWebhookMatchConditions() { if policy.IsReady() { return c.cache.Set(key, policy, c.client.Discovery()) } else { diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index 38da70e4aa15..4c2a2a87861a 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -702,7 +702,7 @@ func (c *controller) buildResourceMutatingWebhookConfiguration(ctx context.Conte if p.AdmissionProcessingEnabled() { spec := p.GetSpec() if spec.HasMutateStandard() || spec.HasVerifyImages() { - if spec.CustomWebhookConfiguration() { + if spec.CustomWebhookMatchConditions() { fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p) fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p) if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { @@ -871,7 +871,7 @@ func (c *controller) buildResourceValidatingWebhookConfiguration(ctx context.Con if p.AdmissionProcessingEnabled() { spec := p.GetSpec() if spec.HasValidate() || spec.HasGenerate() || spec.HasMutateExisting() || spec.HasVerifyImageChecks() || spec.HasVerifyManifests() { - if spec.CustomWebhookConfiguration() { + if spec.CustomWebhookMatchConditions() { fineGrainedIgnore := newWebhookPerPolicy(c.defaultTimeout, ignore, cfg.GetMatchConditions(), p) fineGrainedFail := newWebhookPerPolicy(c.defaultTimeout, fail, cfg.GetMatchConditions(), p) if spec.GetFailurePolicy(ctx) == kyvernov1.Ignore { diff --git a/pkg/controllers/webhook/utils.go b/pkg/controllers/webhook/utils.go index 4cc330b100c9..3e59eec937a2 100644 --- a/pkg/controllers/webhook/utils.go +++ b/pkg/controllers/webhook/utils.go @@ -65,7 +65,7 @@ func newWebhookPerPolicy(timeout int32, failurePolicy admissionregistrationv1.Fa Namespace: policy.GetNamespace(), Name: policy.GetName(), } - if policy.GetSpec().CustomWebhookConfiguration() { + if policy.GetSpec().CustomWebhookMatchConditions() { webhook.matchConditions = policy.GetSpec().GetMatchConditions() } return webhook diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 336e95506862..e7fba25a6a1b 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -133,7 +133,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf spec := policy.GetSpec() background := spec.BackgroundProcessingEnabled() mutateExistingOnPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate() - if policy.GetSpec().CustomWebhookConfiguration() && + if policy.GetSpec().CustomWebhookMatchConditions() && !kubeutils.HigherThanKubernetesVersion(client.GetKubeClient().Discovery(), logging.GlobalLogger(), 1, 27, 0) { return warnings, fmt.Errorf("custom webhook configurations are only supported in kubernetes version 1.27.0 and above") } diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md new file mode 100644 index 000000000000..ed2abbd21267 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/README.md @@ -0,0 +1,7 @@ +## Description + +This test creates a policy with `failurePolicy: Fail` but the configuration has `forceWebhookFailurePolicyIgnore: true`. + +## Expected Behavior + +Webhooks should be configured with `failurePolicy: Ignore` regardless of the failure policy configured in the policies. diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml new file mode 100755 index 000000000000..3f8de96975d0 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: fail +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks-assert.yaml diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml new file mode 100644 index 000000000000..167667619483 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy-assert.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml new file mode 100644 index 000000000000..79d3bec1fbb0 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/policy.yaml @@ -0,0 +1,47 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-labels + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + failurePolicy: Fail + validationFailureAction: Enforce + background: false + rules: + - name: require-team + match: + any: + - resources: + kinds: + - Pod + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-labels +spec: + failurePolicy: Fail + validationFailureAction: Enforce + background: false + rules: + - name: add-labels + match: + any: + - resources: + kinds: + - Pod + - Service + - ConfigMap + - Secret + mutate: + patchStrategicMerge: + metadata: + labels: + foo: bar diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml new file mode 100644 index 000000000000..1a0d490d5598 --- /dev/null +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail(deprecated)/webhooks-assert.yaml @@ -0,0 +1,39 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-validating-webhook-cfg +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kyverno-svc + namespace: kyverno + path: /validate/ignore + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: validate.kyverno.svc-ignore + sideEffects: NoneOnDryRun +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-mutating-webhook-cfg +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: kyverno-svc + namespace: kyverno + path: /mutate/ignore + port: 443 + failurePolicy: Ignore + matchPolicy: Equivalent + name: mutate.kyverno.svc-ignore + sideEffects: NoneOnDryRun diff --git a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml index 79d3bec1fbb0..ad83cf9b6eab 100644 --- a/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml +++ b/test/conformance/chainsaw/force-failure-policy-ignore/cluster-policy/fail/policy.yaml @@ -5,7 +5,6 @@ metadata: annotations: pod-policies.kyverno.io/autogen-controllers: none spec: - failurePolicy: Fail validationFailureAction: Enforce background: false rules: @@ -21,13 +20,14 @@ spec: metadata: labels: team: '?*' + webhookConfiguration: + failurePolicy: Fail --- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: add-labels spec: - failurePolicy: Fail validationFailureAction: Enforce background: false rules: @@ -45,3 +45,5 @@ spec: metadata: labels: foo: bar + webhookConfiguration: + failurePolicy: Fail diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md new file mode 100644 index 000000000000..8c81c1c15051 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create policies with invalid timeouts (`< 1` or `> 30`). + +## Expected Behavior + +Policies should be rejected. diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml new file mode 100755 index 000000000000..3d487ec0b94f --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: invalid-timeout +spec: + steps: + - name: step-01 + try: + - apply: + expect: + - check: + ($error != null): true + file: policy-1.yaml + - apply: + expect: + - check: + ($error != null): true + file: policy-2.yaml diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml new file mode 100644 index 000000000000..2c73d95718fb --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: -1 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml new file mode 100644 index 000000000000..c7510ba423c2 --- /dev/null +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout(deprecated)/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + webhookTimeoutSeconds: 31 + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod + validate: + deny: {} diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml index 2c73d95718fb..3f48c1eb06b2 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-1.yaml @@ -4,7 +4,6 @@ metadata: name: deny spec: validationFailureAction: Audit - webhookTimeoutSeconds: -1 rules: - name: deny match: @@ -14,3 +13,5 @@ spec: - Pod validate: deny: {} + webhookConfiguration: + timeoutSeconds: -1 diff --git a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml index c7510ba423c2..11a0a39da11c 100644 --- a/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml +++ b/test/conformance/chainsaw/policy-validation/cluster-policy/invalid-timeout/policy-2.yaml @@ -4,7 +4,6 @@ metadata: name: deny spec: validationFailureAction: Audit - webhookTimeoutSeconds: 31 rules: - name: deny match: @@ -14,3 +13,5 @@ spec: - Pod validate: deny: {} + webhookConfiguration: + timeoutSeconds: 31 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md new file mode 100644 index 000000000000..421d1f122009 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test is migrated from e2e. It tests basic YAML manifest signature validation functionality. + +## Expected Behavior + +The `test-deployment` (defined in `bad.yaml`) should fail because it matches the policy conditions yet has not been signed while the `test-deployment` (defined in `02-good-deployment.yaml`) should pass because it also matches yet has been signed and the signature is valid according to the public key defined in the policy. + +## Reference Issue(s) + +N/A diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml new file mode 100644 index 000000000000..2d62719135ec --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/bad.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: nginx + name: test-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml new file mode 100755 index 000000000000..ffd1fdeca10a --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-step-02-apply-1-1.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wBaAaX+H4sIAAAAAAAA/+ySz27bMAzGffZT8AUcSf6TpDrvuMMOw64DazOeEP2bxBZtn35wnXhegOW4oYB/F9rg930gQYlnTOIU7EApC/8mlDye7c9xqNk/Stc49902rn1ppZRy9OKr6IOLiXI2fqwYUzW+KXmQDw9tUx8FU+ZqoGjDqyPPu1d0tigm775t3+th371XWc//E12zL1Rbq042XacOhWzquusKkMU/4CkzpkLKdH4awh1dZjyd7vQvuyz1g4DRfKOUTfAaMMYsnlV5Nn7Q8Gk5Y+mIcUBGXQJYfCSbpy+YDBr8aPxLCeDRkYabF1DmSP0kThSt6TFrUCVAJks9hzTHOOT+x+dV7k0yk4sWmS7q1TAT9g/jjRXgOsBEHzyj8ZRW8gqMw5EuFq12qt3VS/e61u+8mRgSr0LmoCX+S0is4SjL/33djY2Njb/zKwAA//+MAMwjAAgAAAEAAP//7NcJ9loBAAA= + cosign.sigstore.dev/signature: MEUCICLCfb3LGKXcdKV3gTXl6qba3T2goZMbVX/54gyNR05UAiEAlvPuWVsCPuBx5wVqvtyT7hr/AfR9Fl7cNLDACaNIbx8= + labels: + app: nginx + name: test-deployment +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml new file mode 100755 index 000000000000..b0f589880219 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: yaml-signing +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1-1.yaml + - name: step-03 + try: + - script: + content: "if kubectl apply -f bad.yaml\nthen \n echo \"Tested failed. Deployment + was created when it shouldn't have been.\"\n exit 1 \nelse \n echo \"Test + succeeded. Deployment was not created as intended.\"\n exit 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml new file mode 100644 index 000000000000..85287d431e89 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-resources +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml new file mode 100644 index 000000000000..031a39261d31 --- /dev/null +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing(deprecated)/policy.yaml @@ -0,0 +1,49 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-resources +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-resources + match: + any: + - resources: + kinds: + - Deployment + - Pod + name: test* + exclude: + any: + - resources: + kinds: + - Pod + subjects: + - kind: ServiceAccount + namespace: kube-system + name: replicaset-controller + - resources: + kinds: + - ReplicaSet + subjects: + - kind: ServiceAccount + namespace: kube-system + name: deployment-controller + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml index 031a39261d31..bab429a6acc4 100644 --- a/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml +++ b/test/conformance/chainsaw/validate/e2e/yaml-signing/policy.yaml @@ -5,8 +5,6 @@ metadata: spec: validationFailureAction: Enforce background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail rules: - name: validate-resources match: @@ -47,3 +45,6 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md new file mode 100644 index 000000000000..ce47d1280cdf --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that two signatures are expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be rejected. +Resource with two signatures should be accepted. diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml new file mode 100755 index 000000000000..8092e845b9a2 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: multi-signatures +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource-no-signature.yaml + - apply: + expect: + - check: + ($error != null): true + file: resource-one-signature.yaml + - apply: + file: resource-two-signatures.yaml + - apply: + expect: + - check: + ($error != null): true + file: resource-bad-signatures.yaml diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml new file mode 100644 index 000000000000..582ac4e67a83 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml new file mode 100644 index 000000000000..e862e67b54a8 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/policy.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml new file mode 100644 index 000000000000..736b82c12704 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-bad-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: NotMyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml new file mode 100644 index 000000000000..87100c787a93 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml new file mode 100644 index 000000000000..3de473b4ee40 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml new file mode 100644 index 000000000000..50a69cf2005b --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures(deprecated)/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml index e862e67b54a8..b0a27bf77de6 100644 --- a/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/multi-signatures/policy.yaml @@ -4,9 +4,7 @@ metadata: name: validate-yaml spec: validationFailureAction: Enforce - background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail + background: false rules: - name: validate-yaml match: @@ -40,3 +38,6 @@ spec: ignoreTlog: true ctlog: ignoreSCT: true + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md new file mode 100644 index 000000000000..cf5eb1c5b278 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/README.md @@ -0,0 +1,10 @@ +## Description + +This test creates a policy to verify manifests signatures. +The policy specifies that at least one signature is expected to be valid. + +## Expected Behavior + +Resource with no signature should be rejected. +Resource with one signature should be accepted. +Resource with two signatures should be accepted. diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml new file mode 100755 index 000000000000..04656217ffc8 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/chainsaw-test.yaml @@ -0,0 +1,29 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: single-signature +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + expect: + - check: + ($error != null): true + file: resource-no-signature.yaml + - apply: + file: resource-one-signature.yaml + - apply: + file: resource-two-signatures.yaml + - apply: + expect: + - check: + ($error != null): true + file: resource-bad-signatures.yaml diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml new file mode 100644 index 000000000000..582ac4e67a83 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml new file mode 100644 index 000000000000..156eda52fe06 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validate-yaml +spec: + validationFailureAction: Enforce + background: false + webhookTimeoutSeconds: 30 + failurePolicy: Fail + rules: + - name: validate-yaml + match: + any: + - resources: + kinds: + - Service + validate: + manifests: + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQfmL5YwHbn9xrrgG3vgbU0KJxMY + BibYLJ5L4VSMvGxeMLnBGdM48w5IE//6idUPj3rscigFdHs7GDMH4LLAng== + -----END PUBLIC KEY----- + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy + FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== + -----END PUBLIC KEY----- diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml new file mode 100644 index 000000000000..736b82c12704 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-bad-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: NotMyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml new file mode 100644 index 000000000000..87100c787a93 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-no-signature.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: test-service1 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml new file mode 100644 index 000000000000..3de473b4ee40 --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-one-signature.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/wAuAdH+H4sIAAAAAAAA/+yPPW7rMBCEVesUewE90aJ+bHYPqQMYiJE2YKS1IlgUid21E/v0geggVeDK7vQ1M+RMsUPI/kgtZjz0mbjw72zdmNwXpZSqyzJqU1dRVXF9R6t1siq11rouikYnShdNrRJQd77jT44slhKl6HDs/I0ei93vb+Q/W341P1nK937skDg/V3lVrvXb5Li5VO+duHZz+HJOf37M5X7Kd3nrXSBkHqY+E0tZf8lQ4UYXVVPrrnjA9BkbhlckHvxk4LRKD8PUGXhBOg0tpg7FdlasSQEm69CAIEvG17hIOWA7Z8GT8GyyaA2sVQoAEMiLb/1oYPe0jT9iqUfZxtJGN3UKwDhiK55MLNgQDDyf/4eQPmjxwsLCwsLMdwAAAP//a1+4aAAIAAABAAD//9BEPkguAQAA + cosign.sigstore.dev/signature: MEUCIGsd5kBomJgAJKbzoaoaDt5sWGSdA9EPGon4XY3Jmg9XAiEAwtqhN7tRzXNP3y0l5h2nxzg0WRnitCONiPi+BSP1e5Y= + name: test-service2 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml new file mode 100644 index 000000000000..50a69cf2005b --- /dev/null +++ b/test/conformance/chainsaw/verify-manifests/single-signature(deprecated)/resource-two-signatures.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + cosign.sigstore.dev/message: H4sIAAAAAAAA/ySKTarDMAwG9zrFd4HAewT6o13puhBo6V44opgmtrBEoLcvcXfDzIjlpzbPtTC2f3rnMjPu2raclFYNmSWECSiyKiPUY/BfHslN096stvAdho6M0x8BgLUaNdWF8bhO3YS0l8bUp/N4PBDgumiK2rgPYsa4fS5m9A0AAP//mX2z9ZsAAAA= + cosign.sigstore.dev/signature: MEYCIQDMIHC26nBdO/GeFZpP1CNdmGVO41w5P0PCN4DemLk/mgIhAJ04E76kz25pkUXHxrfKIWVKuD+KGw5TStPNWZPCqPLK + cosign.sigstore.dev/signature_1: MEQCIDZ7YUjwtSvjgaOLaXQiT2F7P00FUC+QZqI8DcBjMlgVAiAMojKmnl7TRkqpPMXBsz6rWIMU8VpfItcQ5QrLKLQRHg== + name: test-service3 +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9376 + selector: + app: MyApp diff --git a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml index 156eda52fe06..755b343c2979 100644 --- a/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml +++ b/test/conformance/chainsaw/verify-manifests/single-signature/policy.yaml @@ -4,9 +4,7 @@ metadata: name: validate-yaml spec: validationFailureAction: Enforce - background: false - webhookTimeoutSeconds: 30 - failurePolicy: Fail + background: false rules: - name: validate-yaml match: @@ -31,3 +29,6 @@ spec: MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy FdGxexVrR4YqO1pRViKxmD9oMu4I7K/4sM51nbH65ycB2uRiDfIdRoV/+A== -----END PUBLIC KEY----- + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Fail diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md new file mode 100644 index 000000000000..c40477b6f5c1 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/README.md @@ -0,0 +1,11 @@ +## Description + +This test verifies that resource creation is not blocked if the `failurePolicy` is set to `Ignore`, when there is an error resolving context variables. + +## Expected Behavior + +The pod should be created successfully. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6742 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml new file mode 100644 index 000000000000..0d38ac01a611 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/bad-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-fail + namespace: failure-policy-test-noconfigmap-diffimage-success +spec: + containers: + - image: ghcr.io/kyverno/test-verify-image:signed + name: test-fail diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml new file mode 100755 index 000000000000..6f5564258fb3 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-step-02-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: failure-policy-test-noconfigmap-diffimage-success diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml new file mode 100755 index 000000000000..be39aaf6cfdd --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/chainsaw-test.yaml @@ -0,0 +1,23 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: failure-policy-test-noconfigmap-diffimage-success +spec: + timeouts: + delete: 2m + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - name: step-03 + try: + - apply: + file: bad-pod.yaml diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml new file mode 100644 index 000000000000..cfdc4c1e1cce --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy-ready.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: image-verify-polset-failurepolicy-ignore +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml new file mode 100644 index 000000000000..2b7067296066 --- /dev/null +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success(deprecated)/policy.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + name: image-verify-polset-failurepolicy-ignore +spec: + background: false + failurePolicy: Ignore + rules: + - context: + - configMap: + name: myconfigmap + namespace: mynamespace + name: myconfigmap + match: + any: + - resources: + kinds: + - Pod + name: image-verify-pol1 + verifyImages: + - imageReferences: + - ghcr.io/* + mutateDigest: false + verifyDigest: false + attestors: + - entries: + - keys: + publicKeys: '{{myconfigmap.data.configmapkey}}' + rekor: + url: https://rekor.sigstore.dev + ignoreTlog: true + ctlog: + ignoreSCT: true + validationFailureAction: Audit + webhookTimeoutSeconds: 30 diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml index 2b7067296066..10a3818996ee 100644 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/failure-policy-test-noconfigmap-diffimage-success/policy.yaml @@ -6,7 +6,6 @@ metadata: name: image-verify-polset-failurepolicy-ignore spec: background: false - failurePolicy: Ignore rules: - context: - configMap: @@ -34,4 +33,6 @@ spec: ctlog: ignoreSCT: true validationFailureAction: Audit - webhookTimeoutSeconds: 30 + webhookConfiguration: + timeoutSeconds: 30 + failurePolicy: Ignore From 94d9bbe73fd4788f93c45106b76089351b1d6ef5 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 24 Jun 2024 23:36:55 +0700 Subject: [PATCH 07/10] chore: use v2 clients for policy exceptions (#10530) Signed-off-by: Mariam Fahmy --- api/kyverno/v2/policy_exception_types.go | 5 ++++ .../kubectl-kyverno/commands/apply/command.go | 5 ++-- cmd/cli/kubectl-kyverno/exception/load.go | 16 ++++++------- .../kubectl-kyverno/processor/exceptions.go | 8 +++---- .../processor/policy_processor.go | 3 +-- cmd/internal/engine.go | 2 +- cmd/kyverno/main.go | 2 +- cmd/reports-controller/main.go | 4 ++-- pkg/controllers/exceptions/controller.go | 24 +++++++++---------- .../report/background/controller.go | 20 ++++++++-------- pkg/controllers/report/utils/utils.go | 8 +++---- .../controller.go | 20 ++++++++-------- pkg/engine/api/ruleresponse.go | 8 +++---- pkg/engine/api/selector.go | 4 ++-- pkg/engine/exceptions.go | 4 ++-- pkg/engine/handlers/handler.go | 4 ++-- .../handlers/mutation/mutate_existing.go | 4 ++-- pkg/engine/handlers/mutation/mutate_image.go | 4 ++-- .../handlers/mutation/mutate_resource.go | 4 ++-- .../handlers/validation/validate_cel.go | 4 ++-- .../handlers/validation/validate_image.go | 4 ++-- .../handlers/validation/validate_manifest.go | 4 ++-- .../handlers/validation/validate_pss.go | 4 ++-- .../handlers/validation/validate_resource.go | 4 ++-- pkg/engine/utils/exceptions.go | 2 +- pkg/exceptions/selector.go | 8 +++---- pkg/utils/admission/exception.go | 10 ++++---- pkg/utils/admission/exception_test.go | 6 ++--- pkg/utils/report/metadata.go | 6 ++--- pkg/validation/exception/validate.go | 4 ++-- pkg/webhooks/resource/fake.go | 2 +- 31 files changed, 105 insertions(+), 102 deletions(-) diff --git a/api/kyverno/v2/policy_exception_types.go b/api/kyverno/v2/policy_exception_types.go index d18372a9795c..c659dc8b147c 100644 --- a/api/kyverno/v2/policy_exception_types.go +++ b/api/kyverno/v2/policy_exception_types.go @@ -101,6 +101,11 @@ func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) for i, e := range p.Exceptions { errs = append(errs, e.Validate(exceptionsPath.Index(i))...) } + + podSecuityPath := path.Child("podSecurity") + for i, p := range p.PodSecurity { + errs = append(errs, p.Validate(podSecuityPath.Index(i))...) + } return errs } diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command.go b/cmd/cli/kubectl-kyverno/commands/apply/command.go index 240f161a57b6..97c9ea3baa20 100644 --- a/cmd/cli/kubectl-kyverno/commands/apply/command.go +++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go @@ -13,7 +13,6 @@ import ( "github.com/go-git/go-billy/v5/memfs" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/command" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception" @@ -167,7 +166,7 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul if err != nil { return rc, resources1, skipInvalidPolicies, responses1, err } - var exceptions []*kyvernov2beta1.PolicyException + var exceptions []*kyvernov2.PolicyException if c.inlineExceptions { exceptions = exception.SelectFrom(resources) } else { @@ -260,7 +259,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource( vars *variables.Variables, policies []kyvernov1.PolicyInterface, resources []*unstructured.Unstructured, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, skipInvalidPolicies *SkippedInvalidPolicies, dClient dclient.Interface, userInfo *kyvernov2.RequestInfo, diff --git a/cmd/cli/kubectl-kyverno/exception/load.go b/cmd/cli/kubectl-kyverno/exception/load.go index 8b62cf820607..d5deaaeb399c 100644 --- a/cmd/cli/kubectl-kyverno/exception/load.go +++ b/cmd/cli/kubectl-kyverno/exception/load.go @@ -21,8 +21,8 @@ var ( exceptionV2 = schema.GroupVersion(kyvernov2.GroupVersion).WithKind("PolicyException") ) -func Load(paths ...string) ([]*kyvernov2beta1.PolicyException, error) { - var out []*kyvernov2beta1.PolicyException +func Load(paths ...string) ([]*kyvernov2.PolicyException, error) { + var out []*kyvernov2.PolicyException for _, path := range paths { bytes, err := os.ReadFile(filepath.Clean(path)) if err != nil { @@ -37,12 +37,12 @@ func Load(paths ...string) ([]*kyvernov2beta1.PolicyException, error) { return out, nil } -func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) { +func load(content []byte) ([]*kyvernov2.PolicyException, error) { documents, err := yamlutils.SplitDocuments(content) if err != nil { return nil, err } - var exceptions []*kyvernov2beta1.PolicyException + var exceptions []*kyvernov2.PolicyException crds, err := data.Crds() if err != nil { return nil, err @@ -60,7 +60,7 @@ func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) { } switch gvk { case exceptionV2beta1, exceptionV2: - exception, err := convert.To[kyvernov2beta1.PolicyException](untyped) + exception, err := convert.To[kyvernov2.PolicyException](untyped) if err != nil { return nil, err } @@ -72,12 +72,12 @@ func load(content []byte) ([]*kyvernov2beta1.PolicyException, error) { return exceptions, nil } -func SelectFrom(resources []*unstructured.Unstructured) []*kyvernov2beta1.PolicyException { - var exceptions []*kyvernov2beta1.PolicyException +func SelectFrom(resources []*unstructured.Unstructured) []*kyvernov2.PolicyException { + var exceptions []*kyvernov2.PolicyException for _, resource := range resources { switch resource.GroupVersionKind() { case exceptionV2beta1, exceptionV2: - exception, err := convert.To[kyvernov2beta1.PolicyException](*resource) + exception, err := convert.To[kyvernov2.PolicyException](*resource) if err == nil { exceptions = append(exceptions, exception) } diff --git a/cmd/cli/kubectl-kyverno/processor/exceptions.go b/cmd/cli/kubectl-kyverno/processor/exceptions.go index bf6cb2b4c721..528a2daa5c46 100644 --- a/cmd/cli/kubectl-kyverno/processor/exceptions.go +++ b/cmd/cli/kubectl-kyverno/processor/exceptions.go @@ -1,16 +1,16 @@ package processor import ( - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "k8s.io/apimachinery/pkg/labels" ) type policyExceptionLister struct { - exceptions []*kyvernov2beta1.PolicyException + exceptions []*kyvernov2.PolicyException } -func (l *policyExceptionLister) List(selector labels.Selector) ([]*kyvernov2beta1.PolicyException, error) { - var out []*kyvernov2beta1.PolicyException +func (l *policyExceptionLister) List(selector labels.Selector) ([]*kyvernov2.PolicyException, error) { + var out []*kyvernov2.PolicyException for _, exception := range l.exceptions { exceptionLabels := labels.Set(exception.GetLabels()) if selector.Matches(exceptionLabels) { diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go index 17992af18503..415191dfed23 100644 --- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go +++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go @@ -11,7 +11,6 @@ import ( json_patch "github.com/evanphx/json-patch/v5" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/apis/v1alpha1" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/log" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/store" @@ -40,7 +39,7 @@ type PolicyProcessor struct { Store *store.Store Policies []kyvernov1.PolicyInterface Resource unstructured.Unstructured - PolicyExceptions []*kyvernov2beta1.PolicyException + PolicyExceptions []*kyvernov2.PolicyException MutateLogPath string MutateLogPathIsDir bool Variables *variables.Variables diff --git a/cmd/internal/engine.go b/cmd/internal/engine.go index b5178dddf203..670050ce293f 100644 --- a/cmd/internal/engine.go +++ b/cmd/internal/engine.go @@ -68,7 +68,7 @@ func NewExceptionSelector( polexCache := exceptioncontroller.NewController( kyvernoInformer.Kyverno().V1().ClusterPolicies(), kyvernoInformer.Kyverno().V1().Policies(), - kyvernoInformer.Kyverno().V2beta1().PolicyExceptions(), + kyvernoInformer.Kyverno().V2().PolicyExceptions(), exceptionNamespace, ) polexController := NewController( diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index ee037c9f2f60..1c4831b6f9bf 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -221,7 +221,7 @@ func createrLeaderControllers( kyvernoClient, dynamicClient.Discovery(), kyvernoInformer.Kyverno().V1().ClusterPolicies(), - kyvernoInformer.Kyverno().V2beta1().PolicyExceptions(), + kyvernoInformer.Kyverno().V2().PolicyExceptions(), kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicies(), kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings(), eventGenerator, diff --git a/cmd/reports-controller/main.go b/cmd/reports-controller/main.go index 450f32950685..d292eb08578d 100644 --- a/cmd/reports-controller/main.go +++ b/cmd/reports-controller/main.go @@ -76,7 +76,7 @@ func createReportControllers( vapBindingInformer = kubeInformer.Admissionregistration().V1alpha1().ValidatingAdmissionPolicyBindings() } kyvernoV1 := kyvernoInformer.Kyverno().V1() - kyvernoV2beta1 := kyvernoInformer.Kyverno().V2beta1() + kyvernoV2 := kyvernoInformer.Kyverno().V2() if backgroundScan || admissionReports { resourceReportController := resourcereportcontroller.NewController( client, @@ -114,7 +114,7 @@ func createReportControllers( metadataFactory, kyvernoV1.Policies(), kyvernoV1.ClusterPolicies(), - kyvernoV2beta1.PolicyExceptions(), + kyvernoV2.PolicyExceptions(), vapInformer, vapBindingInformer, kubeInformer.Core().V1().Namespaces(), diff --git a/pkg/controllers/exceptions/controller.go b/pkg/controllers/exceptions/controller.go index 5ac7141150d3..17beda5dcd62 100644 --- a/pkg/controllers/exceptions/controller.go +++ b/pkg/controllers/exceptions/controller.go @@ -9,12 +9,12 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "github.com/kyverno/kyverno/pkg/autogen" kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" - kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1" + kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2" kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" - kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1" + kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" @@ -22,7 +22,7 @@ import ( "k8s.io/client-go/util/workqueue" ) -type ruleIndex = map[string][]*kyvernov2beta1.PolicyException +type ruleIndex = map[string][]*kyvernov2.PolicyException type policyIndex = map[string]ruleIndex @@ -30,7 +30,7 @@ type controller struct { // listers cpolLister kyvernov1listers.ClusterPolicyLister polLister kyvernov1listers.PolicyLister - polexLister kyvernov2beta1listers.PolicyExceptionLister + polexLister kyvernov2listers.PolicyExceptionLister // queue queue workqueue.RateLimitingInterface @@ -50,7 +50,7 @@ const ( func NewController( cpolInformer kyvernov1informers.ClusterPolicyInformer, polInformer kyvernov1informers.PolicyInformer, - polexInformer kyvernov2beta1informers.PolicyExceptionInformer, + polexInformer kyvernov2informers.PolicyExceptionInformer, namespace string, ) *controller { queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName) @@ -78,13 +78,13 @@ func (c *controller) Run(ctx context.Context, workers int) { controllerutils.Run(ctx, logger.V(3), ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile) } -func (c *controller) Find(policyName string, ruleName string) ([]*kyvernov2beta1.PolicyException, error) { +func (c *controller) Find(policyName string, ruleName string) ([]*kyvernov2.PolicyException, error) { c.lock.RLock() defer c.lock.RUnlock() return c.index[policyName][ruleName], nil } -func (c *controller) addPolex(polex *kyvernov2beta1.PolicyException) { +func (c *controller) addPolex(polex *kyvernov2.PolicyException) { names := sets.New[string]() for _, ex := range polex.Spec.Exceptions { names.Insert(ex.PolicyName) @@ -94,7 +94,7 @@ func (c *controller) addPolex(polex *kyvernov2beta1.PolicyException) { } } -func (c *controller) updatePolex(old *kyvernov2beta1.PolicyException, new *kyvernov2beta1.PolicyException) { +func (c *controller) updatePolex(old *kyvernov2.PolicyException, new *kyvernov2.PolicyException) { names := sets.New[string]() for _, ex := range old.Spec.Exceptions { names.Insert(ex.PolicyName) @@ -107,7 +107,7 @@ func (c *controller) updatePolex(old *kyvernov2beta1.PolicyException, new *kyver } } -func (c *controller) deletePolex(polex *kyvernov2beta1.PolicyException) { +func (c *controller) deletePolex(polex *kyvernov2.PolicyException) { names := sets.New[string]() for _, ex := range polex.Spec.Exceptions { names.Insert(ex.PolicyName) @@ -133,7 +133,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac } } -func (c *controller) listExceptions() ([]*kyvernov2beta1.PolicyException, error) { +func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) { if c.namespace == "" { return c.polexLister.List(labels.Everything()) } @@ -145,7 +145,7 @@ func (c *controller) buildRuleIndex(key string, policy kyvernov1.PolicyInterface if err != nil { return nil, err } - slices.SortFunc(polexList, func(a, b *kyvernov2beta1.PolicyException) int { + slices.SortFunc(polexList, func(a, b *kyvernov2.PolicyException) int { if cmp := cmp.Compare(a.Namespace, b.Namespace); cmp != 0 { return cmp } diff --git a/pkg/controllers/report/background/controller.go b/pkg/controllers/report/background/controller.go index ff3d56c4d5b7..ca03bb91ac51 100644 --- a/pkg/controllers/report/background/controller.go +++ b/pkg/controllers/report/background/controller.go @@ -6,14 +6,14 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" reportsv1 "github.com/kyverno/kyverno/api/reports/v1" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" - kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1" + kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2" kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" - kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1" + kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/controllers" @@ -57,7 +57,7 @@ type controller struct { // listers polLister kyvernov1listers.PolicyLister cpolLister kyvernov1listers.ClusterPolicyLister - polexLister kyvernov2beta1listers.PolicyExceptionLister + polexLister kyvernov2listers.PolicyExceptionLister vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister vapBindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister bgscanrLister cache.GenericLister @@ -85,7 +85,7 @@ func NewController( metadataFactory metadatainformers.SharedInformerFactory, polInformer kyvernov1informers.PolicyInformer, cpolInformer kyvernov1informers.ClusterPolicyInformer, - polexInformer kyvernov2beta1informers.PolicyExceptionInformer, + polexInformer kyvernov2informers.PolicyExceptionInformer, vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer, vapBindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer, nsInformer corev1informers.NamespaceInformer, @@ -171,17 +171,17 @@ func (c *controller) deletePolicy(obj kyvernov1.PolicyInterface) { c.enqueueResources() } -func (c *controller) addException(obj *kyvernov2beta1.PolicyException) { +func (c *controller) addException(obj *kyvernov2.PolicyException) { c.enqueueResources() } -func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) { +func (c *controller) updateException(old, obj *kyvernov2.PolicyException) { if old.GetResourceVersion() != obj.GetResourceVersion() { c.enqueueResources() } } -func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) { +func (c *controller) deleteException(obj *kyvernov2.PolicyException) { c.enqueueResources() } @@ -243,7 +243,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) { } } -func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2beta1.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) { +func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy) (bool, bool, error) { // if the reportMetadata does not exist, we need a full reconcile reportMetadata, err := c.getMeta(namespace, name) if err != nil { @@ -302,7 +302,7 @@ func (c *controller) reconcileReport( uid types.UID, gvk schema.GroupVersionKind, resource resource.Resource, - exceptions []kyvernov2beta1.PolicyException, + exceptions []kyvernov2.PolicyException, bindings []admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding, policies ...engineapi.GenericPolicy, ) error { diff --git a/pkg/controllers/report/utils/utils.go b/pkg/controllers/report/utils/utils.go index 5d76f53b17fb..133257b233e2 100644 --- a/pkg/controllers/report/utils/utils.go +++ b/pkg/controllers/report/utils/utils.go @@ -3,11 +3,11 @@ package utils import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" reportsv1 "github.com/kyverno/kyverno/api/reports/v1" "github.com/kyverno/kyverno/pkg/autogen" kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" - kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1" + kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" datautils "github.com/kyverno/kyverno/pkg/utils/data" policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy" admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1" @@ -111,8 +111,8 @@ func FetchPolicies(polLister kyvernov1listers.PolicyLister, namespace string) ([ return policies, nil } -func FetchPolicyExceptions(polexLister kyvernov2beta1listers.PolicyExceptionLister, namespace string) ([]kyvernov2beta1.PolicyException, error) { - var exceptions []kyvernov2beta1.PolicyException +func FetchPolicyExceptions(polexLister kyvernov2listers.PolicyExceptionLister, namespace string) ([]kyvernov2.PolicyException, error) { + var exceptions []kyvernov2.PolicyException if polexs, err := polexLister.PolicyExceptions(namespace).List(labels.Everything()); err != nil { return nil, err } else { diff --git a/pkg/controllers/validatingadmissionpolicy-generate/controller.go b/pkg/controllers/validatingadmissionpolicy-generate/controller.go index 3a8a6a1d9ddc..d330c4a997f9 100644 --- a/pkg/controllers/validatingadmissionpolicy-generate/controller.go +++ b/pkg/controllers/validatingadmissionpolicy-generate/controller.go @@ -7,13 +7,13 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "github.com/kyverno/kyverno/pkg/auth/checker" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" - kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1" + kyvernov2informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2" kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" - kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1" + kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/controllers" "github.com/kyverno/kyverno/pkg/event" @@ -48,7 +48,7 @@ type controller struct { // listers cpolLister kyvernov1listers.ClusterPolicyLister - polexLister kyvernov2beta1listers.PolicyExceptionLister + polexLister kyvernov2listers.PolicyExceptionLister vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister vapbindingLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyBindingLister @@ -64,7 +64,7 @@ func NewController( kyvernoClient versioned.Interface, discoveryClient dclient.IDiscovery, cpolInformer kyvernov1informers.ClusterPolicyInformer, - polexInformer kyvernov2beta1informers.PolicyExceptionInformer, + polexInformer kyvernov2informers.PolicyExceptionInformer, vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer, vapbindingInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyBindingInformer, eventGen event.Interface, @@ -148,12 +148,12 @@ func (c *controller) enqueuePolicy(obj kyvernov1.PolicyInterface) { c.queue.Add(key) } -func (c *controller) addException(obj *kyvernov2beta1.PolicyException) { +func (c *controller) addException(obj *kyvernov2.PolicyException) { logger.Info("policy exception created", "uid", obj.GetUID(), "kind", obj.GetKind(), "name", obj.GetName()) c.enqueueException(obj) } -func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) { +func (c *controller) updateException(old, obj *kyvernov2.PolicyException) { if datautils.DeepEqual(old.Spec, obj.Spec) { return } @@ -161,14 +161,14 @@ func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) { c.enqueueException(obj) } -func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) { - polex := kubeutils.GetObjectWithTombstone(obj).(*kyvernov2beta1.PolicyException) +func (c *controller) deleteException(obj *kyvernov2.PolicyException) { + polex := kubeutils.GetObjectWithTombstone(obj).(*kyvernov2.PolicyException) logger.Info("policy exception deleted", "uid", polex.GetUID(), "kind", polex.GetKind(), "name", polex.GetName()) c.enqueueException(obj) } -func (c *controller) enqueueException(obj *kyvernov2beta1.PolicyException) { +func (c *controller) enqueueException(obj *kyvernov2.PolicyException) { for _, exception := range obj.Spec.Exceptions { // skip adding namespaced policies in the queue. // skip adding policies with multiple rules in the queue. diff --git a/pkg/engine/api/ruleresponse.go b/pkg/engine/api/ruleresponse.go index b0726439da9f..c45f6a6494da 100644 --- a/pkg/engine/api/ruleresponse.go +++ b/pkg/engine/api/ruleresponse.go @@ -3,7 +3,7 @@ package api import ( "fmt" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" pssutils "github.com/kyverno/kyverno/pkg/pss/utils" "k8s.io/api/admissionregistration/v1alpha1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -44,7 +44,7 @@ type RuleResponse struct { // podSecurityChecks contains pod security checks (only if this is a pod security rule) podSecurityChecks *PodSecurityChecks // exception is the exception applied (if any) - exception *kyvernov2beta1.PolicyException + exception *kyvernov2.PolicyException // binding is the validatingadmissionpolicybinding (if any) binding *v1alpha1.ValidatingAdmissionPolicyBinding // emitWarning enable passing rule message as warning to api server warning header @@ -88,7 +88,7 @@ func RuleFail(name string, ruleType RuleType, msg string) *RuleResponse { return NewRuleResponse(name, ruleType, msg, RuleStatusFail) } -func (r RuleResponse) WithException(exception *kyvernov2beta1.PolicyException) *RuleResponse { +func (r RuleResponse) WithException(exception *kyvernov2.PolicyException) *RuleResponse { r.exception = exception return &r } @@ -129,7 +129,7 @@ func (r *RuleResponse) Stats() ExecutionStats { return r.stats } -func (r *RuleResponse) Exception() *kyvernov2beta1.PolicyException { +func (r *RuleResponse) Exception() *kyvernov2.PolicyException { return r.exception } diff --git a/pkg/engine/api/selector.go b/pkg/engine/api/selector.go index 2727b06d75f9..353a78b4a9a7 100644 --- a/pkg/engine/api/selector.go +++ b/pkg/engine/api/selector.go @@ -1,12 +1,12 @@ package api import ( - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" ) // PolicyExceptionSelector is an abstract interface used to resolve poliicy exceptions type PolicyExceptionSelector interface { // Find returns policy exceptions matching a given policy name and rule name. // Objects returned here must be treated as read-only. - Find(string, string) ([]*kyvernov2beta1.PolicyException, error) + Find(string, string) ([]*kyvernov2.PolicyException, error) } diff --git a/pkg/engine/exceptions.go b/pkg/engine/exceptions.go index d25c01029b20..8afeff2bf8bc 100644 --- a/pkg/engine/exceptions.go +++ b/pkg/engine/exceptions.go @@ -2,7 +2,7 @@ package engine import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "k8s.io/client-go/tools/cache" ) @@ -10,7 +10,7 @@ import ( func (e *engine) GetPolicyExceptions( policy kyvernov1.PolicyInterface, rule string, -) ([]*kyvernov2beta1.PolicyException, error) { +) ([]*kyvernov2.PolicyException, error) { if e.exceptionSelector == nil { return nil, nil } diff --git a/pkg/engine/handlers/handler.go b/pkg/engine/handlers/handler.go index 3bc29e2b0d42..0f5b035c2e66 100644 --- a/pkg/engine/handlers/handler.go +++ b/pkg/engine/handlers/handler.go @@ -5,7 +5,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -18,7 +18,7 @@ type Handler interface { unstructured.Unstructured, kyvernov1.Rule, engineapi.EngineContextLoader, - []*kyvernov2beta1.PolicyException, + []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) } diff --git a/pkg/engine/handlers/mutation/mutate_existing.go b/pkg/engine/handlers/mutation/mutate_existing.go index d3362b610fb4..3607434de0d8 100644 --- a/pkg/engine/handlers/mutation/mutate_existing.go +++ b/pkg/engine/handlers/mutation/mutate_existing.go @@ -5,7 +5,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/internal" @@ -35,7 +35,7 @@ func (h mutateExistingHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/mutation/mutate_image.go b/pkg/engine/handlers/mutation/mutate_image.go index 4af18a38d9d2..8775c4531b82 100644 --- a/pkg/engine/handlers/mutation/mutate_image.go +++ b/pkg/engine/handlers/mutation/mutate_image.go @@ -6,7 +6,7 @@ import ( json_patch "github.com/evanphx/json-patch/v5" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" enginecontext "github.com/kyverno/kyverno/pkg/engine/context" @@ -66,7 +66,7 @@ func (h mutateImageHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/mutation/mutate_resource.go b/pkg/engine/handlers/mutation/mutate_resource.go index 5be61a5655af..af182612edd7 100644 --- a/pkg/engine/handlers/mutation/mutate_resource.go +++ b/pkg/engine/handlers/mutation/mutate_resource.go @@ -5,7 +5,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/mutate" @@ -28,7 +28,7 @@ func (h mutateResourceHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go index aba0e5f3bd10..e1f01bb6f681 100644 --- a/pkg/engine/handlers/validation/validate_cel.go +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -6,7 +6,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/internal" @@ -45,7 +45,7 @@ func (h validateCELHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { if engineutils.IsDeleteRequest(policyContext) { logger.V(3).Info("skipping CEL validation on deleted resource") diff --git a/pkg/engine/handlers/validation/validate_image.go b/pkg/engine/handlers/validation/validate_image.go index 6115f987b1f8..15952c46b412 100644 --- a/pkg/engine/handlers/validation/validate_image.go +++ b/pkg/engine/handlers/validation/validate_image.go @@ -7,7 +7,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" @@ -45,7 +45,7 @@ func (h validateImageHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_manifest.go b/pkg/engine/handlers/validation/validate_manifest.go index 5cf06eb3ef63..054896787887 100644 --- a/pkg/engine/handlers/validation/validate_manifest.go +++ b/pkg/engine/handlers/validation/validate_manifest.go @@ -15,7 +15,7 @@ import ( "github.com/ghodss/yaml" "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "github.com/kyverno/kyverno/pkg/config" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" @@ -57,7 +57,7 @@ func (h validateManifestHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/handlers/validation/validate_pss.go b/pkg/engine/handlers/validation/validate_pss.go index 991f07ff2ffc..b6ae4519601d 100644 --- a/pkg/engine/handlers/validation/validate_pss.go +++ b/pkg/engine/handlers/validation/validate_pss.go @@ -9,7 +9,7 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" engineutils "github.com/kyverno/kyverno/pkg/engine/utils" @@ -37,7 +37,7 @@ func (h validatePssHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, _ engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { if engineutils.IsDeleteRequest(policyContext) { logger.V(3).Info("skipping PSS validation on deleted resource") diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index ead88dd1d7b6..2d2089c6add2 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -9,7 +9,7 @@ import ( "github.com/go-logr/logr" gojmespath "github.com/kyverno/go-jmespath" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" "github.com/kyverno/kyverno/pkg/engine/internal" @@ -38,7 +38,7 @@ func (h validateResourceHandler) Process( resource unstructured.Unstructured, rule kyvernov1.Rule, contextLoader engineapi.EngineContextLoader, - exceptions []*kyvernov2beta1.PolicyException, + exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) diff --git a/pkg/engine/utils/exceptions.go b/pkg/engine/utils/exceptions.go index bf87c3c84baa..18c2a62bf74d 100644 --- a/pkg/engine/utils/exceptions.go +++ b/pkg/engine/utils/exceptions.go @@ -15,7 +15,7 @@ import ( // MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource. // It returns the matched policy exception. -func MatchesException(polexs []*kyvernov2beta1.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2beta1.PolicyException { +func MatchesException(polexs []*kyvernov2.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) *kyvernov2.PolicyException { gvk, subresource := policyContext.ResourceKind() resource := policyContext.NewResource() if resource.Object == nil { diff --git a/pkg/exceptions/selector.go b/pkg/exceptions/selector.go index 486e69691b29..430fb8cb20e8 100644 --- a/pkg/exceptions/selector.go +++ b/pkg/exceptions/selector.go @@ -1,12 +1,12 @@ package exceptions import ( - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" "k8s.io/apimachinery/pkg/labels" ) type Lister interface { - List(labels.Selector) ([]*kyvernov2beta1.PolicyException, error) + List(labels.Selector) ([]*kyvernov2.PolicyException, error) } type selector struct { @@ -19,12 +19,12 @@ func New(lister Lister) selector { } } -func (s selector) Find(policyName string, ruleName string) ([]*kyvernov2beta1.PolicyException, error) { +func (s selector) Find(policyName string, ruleName string) ([]*kyvernov2.PolicyException, error) { polexs, err := s.lister.List(labels.Everything()) if err != nil { return nil, err } - var results []*kyvernov2beta1.PolicyException + var results []*kyvernov2.PolicyException for _, polex := range polexs { if polex.Contains(policyName, ruleName) { results = append(results, polex) diff --git a/pkg/utils/admission/exception.go b/pkg/utils/admission/exception.go index cab279ac141a..c1f3e7a02c9e 100644 --- a/pkg/utils/admission/exception.go +++ b/pkg/utils/admission/exception.go @@ -1,21 +1,21 @@ package admission import ( - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" admissionv1 "k8s.io/api/admission/v1" "k8s.io/apimachinery/pkg/util/json" ) -func UnmarshalPolicyException(raw []byte) (*kyvernov2beta1.PolicyException, error) { - var exception *kyvernov2beta1.PolicyException +func UnmarshalPolicyException(raw []byte) (*kyvernov2.PolicyException, error) { + var exception *kyvernov2.PolicyException if err := json.Unmarshal(raw, &exception); err != nil { return nil, err } return exception, nil } -func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2beta1.PolicyException, *kyvernov2beta1.PolicyException, error) { - var empty *kyvernov2beta1.PolicyException +func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2.PolicyException, *kyvernov2.PolicyException, error) { + var empty *kyvernov2.PolicyException exception, err := UnmarshalPolicyException(request.Object.Raw) if err != nil { return exception, empty, err diff --git a/pkg/utils/admission/exception_test.go b/pkg/utils/admission/exception_test.go index 6ede188faa0b..2d179013d48b 100644 --- a/pkg/utils/admission/exception_test.go +++ b/pkg/utils/admission/exception_test.go @@ -6,7 +6,7 @@ import ( "k8s.io/apimachinery/pkg/util/json" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" admissionv1 "k8s.io/api/admission/v1" "k8s.io/apimachinery/pkg/runtime" ) @@ -56,7 +56,7 @@ func TestUnmarshalPolicyException(t *testing.T) { if err != nil { t.Errorf("Unexpected error: %v", err) } - var exception *kyvernov2beta1.PolicyException + var exception *kyvernov2.PolicyException json.Unmarshal(test.raw, &exception) if !reflect.DeepEqual(result, exception) { t.Errorf("Expected %+v, got %+v", exception, result) @@ -155,7 +155,7 @@ func TestGetPolicyExceptions(t *testing.T) { for _, test := range testCases { t.Run(test.name, func(t *testing.T) { p1, p2, _ := GetPolicyExceptions(test.args.request) - var empty *kyvernov2beta1.PolicyException + var empty *kyvernov2.PolicyException expectedP1, err := UnmarshalPolicyException(test.args.request.Object.Raw) if err != nil { expectedP2 := empty diff --git a/pkg/utils/report/metadata.go b/pkg/utils/report/metadata.go index 0f4fba7c285c..9b4aa159a6f3 100644 --- a/pkg/utils/report/metadata.go +++ b/pkg/utils/report/metadata.go @@ -9,7 +9,7 @@ import ( "github.com/kyverno/kyverno/api/kyverno" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" reportsv1 "github.com/kyverno/kyverno/api/reports/v1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" @@ -85,7 +85,7 @@ func PolicyLabel(policy engineapi.GenericPolicy) string { return PolicyLabelPrefix(policy) + policy.GetName() } -func PolicyExceptionLabel(exception kyvernov2beta1.PolicyException) string { +func PolicyExceptionLabel(exception kyvernov2.PolicyException) string { return LabelPrefixPolicyException + exception.GetName() } @@ -164,7 +164,7 @@ func SetPolicyLabel(report reportsv1.ReportInterface, policy engineapi.GenericPo controllerutils.SetLabel(report, PolicyLabel(policy), policy.GetResourceVersion()) } -func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyvernov2beta1.PolicyException) { +func SetPolicyExceptionLabel(report reportsv1.ReportInterface, exception kyvernov2.PolicyException) { controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion()) } diff --git a/pkg/validation/exception/validate.go b/pkg/validation/exception/validate.go index 17462e584ee8..f07777499570 100644 --- a/pkg/validation/exception/validate.go +++ b/pkg/validation/exception/validate.go @@ -4,7 +4,7 @@ import ( "context" "github.com/go-logr/logr" - kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2" ) const ( @@ -18,7 +18,7 @@ type ValidationOptions struct { } // Validate checks policy exception is valid -func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2beta1.PolicyException, opts ValidationOptions) ([]string, error) { +func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyException, opts ValidationOptions) ([]string, error) { var warnings []string if !opts.Enabled { warnings = append(warnings, disabledPolex) diff --git a/pkg/webhooks/resource/fake.go b/pkg/webhooks/resource/fake.go index 2c93df6c01c3..8dd04bdc6129 100644 --- a/pkg/webhooks/resource/fake.go +++ b/pkg/webhooks/resource/fake.go @@ -40,7 +40,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) *resour dclient := dclient.NewEmptyFakeClient() configuration := config.NewDefaultConfiguration(false) urLister := kyvernoInformers.Kyverno().V2().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace()) - peLister := kyvernoInformers.Kyverno().V2beta1().PolicyExceptions().Lister() + peLister := kyvernoInformers.Kyverno().V2().PolicyExceptions().Lister() jp := jmespath.New(configuration) rclient := registryclient.NewOrDie() From 018d45cb290744308cd0d05eca437f5d6aac34c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 25 Jun 2024 05:16:30 +0200 Subject: [PATCH 08/10] feat: add reports circuit breaker (#10499) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: add reports circuit breaker Signed-off-by: Charles-Edouard Brétéché * improve metrics and granularity Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- cmd/kyverno/breaker.go | 146 ++++++++++++++++++ cmd/kyverno/main.go | 13 +- pkg/d4f/breaker.go | 66 ++++++++ pkg/d4f/breaker_test.go | 77 +++++++++ pkg/webhooks/resource/handlers.go | 29 +++- .../resource/imageverification/handler.go | 11 +- .../resource/validation/validation.go | 9 +- 7 files changed, 345 insertions(+), 6 deletions(-) create mode 100644 cmd/kyverno/breaker.go create mode 100644 pkg/d4f/breaker.go create mode 100644 pkg/d4f/breaker_test.go diff --git a/cmd/kyverno/breaker.go b/cmd/kyverno/breaker.go new file mode 100644 index 000000000000..83ee6e5ec45f --- /dev/null +++ b/cmd/kyverno/breaker.go @@ -0,0 +1,146 @@ +package main + +import ( + "context" + "errors" + + reportsv1 "github.com/kyverno/kyverno/api/reports/v1" + "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/watch" + metadataclient "k8s.io/client-go/metadata" + "k8s.io/client-go/tools/cache" + watchtools "k8s.io/client-go/tools/watch" +) + +type Counter interface { + Count() int +} + +type resourcesCount struct { + store cache.Store +} + +func (c *resourcesCount) Count() int { + return len(c.store.List()) +} + +func StartAdmissionReportsWatcher(ctx context.Context, client metadataclient.Interface) (*resourcesCount, error) { + gvr := reportsv1.SchemeGroupVersion.WithResource("ephemeralreports") + todo := context.TODO() + tweakListOptions := func(lo *metav1.ListOptions) { + lo.LabelSelector = "audit.kyverno.io/source==admission" + } + informer := cache.NewSharedIndexInformer( + &cache.ListWatch{ + ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { + tweakListOptions(&options) + return client.Resource(gvr).Namespace(metav1.NamespaceAll).List(todo, options) + }, + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + tweakListOptions(&options) + return client.Resource(gvr).Namespace(metav1.NamespaceAll).Watch(todo, options) + }, + }, + &metav1.PartialObjectMetadata{}, + resyncPeriod, + cache.Indexers{}, + ) + err := informer.SetTransform(func(in any) (any, error) { + { + in := in.(*metav1.PartialObjectMetadata) + return &metav1.PartialObjectMetadata{ + TypeMeta: in.TypeMeta, + ObjectMeta: metav1.ObjectMeta{ + Name: in.Name, + GenerateName: in.GenerateName, + Namespace: in.Namespace, + }, + }, nil + } + }) + if err != nil { + return nil, err + } + go func() { + informer.Run(todo.Done()) + }() + if !cache.WaitForCacheSync(ctx.Done(), informer.HasSynced) { + return nil, errors.New("failed to sync cache") + } + return &resourcesCount{ + store: informer.GetStore(), + }, nil +} + +type counter struct { + count int +} + +func (c *counter) Count() int { + return c.count +} + +func StartResourceCounter(ctx context.Context, client metadataclient.Interface, gvr schema.GroupVersionResource, tweakListOptions internalinterfaces.TweakListOptionsFunc) (*counter, error) { + objs, err := client.Resource(gvr).List(ctx, metav1.ListOptions{}) + if err != nil { + return nil, err + } + watcher := &cache.ListWatch{ + WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { + if tweakListOptions != nil { + tweakListOptions(&options) + } + return client.Resource(gvr).Watch(ctx, options) + }, + } + watchInterface, err := watchtools.NewRetryWatcher(objs.GetResourceVersion(), watcher) + if err != nil { + return nil, err + } + w := &counter{ + count: len(objs.Items), + } + go func() { + for event := range watchInterface.ResultChan() { + switch event.Type { + case watch.Added: + w.count = w.count + 1 + case watch.Deleted: + w.count = w.count - 1 + } + } + }() + return w, nil +} + +func StartAdmissionReportsCounter(ctx context.Context, client metadataclient.Interface) (Counter, error) { + tweakListOptions := func(lo *metav1.ListOptions) { + lo.LabelSelector = "audit.kyverno.io/source==admission" + } + ephrs, err := StartResourceCounter(ctx, client, reportsv1.SchemeGroupVersion.WithResource("ephemeralreports"), tweakListOptions) + if err != nil { + return nil, err + } + cephrs, err := StartResourceCounter(ctx, client, reportsv1.SchemeGroupVersion.WithResource("clusterephemeralreports"), tweakListOptions) + if err != nil { + return nil, err + } + return composite{ + inner: []Counter{ephrs, cephrs}, + }, nil +} + +type composite struct { + inner []Counter +} + +func (c composite) Count() int { + sum := 0 + for _, counter := range c.inner { + sum += counter.Count() + } + return sum +} diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 1c4831b6f9bf..e593cd03bacc 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -25,6 +25,7 @@ import ( policycachecontroller "github.com/kyverno/kyverno/pkg/controllers/policycache" vapcontroller "github.com/kyverno/kyverno/pkg/controllers/validatingadmissionpolicy-generate" webhookcontroller "github.com/kyverno/kyverno/pkg/controllers/webhook" + "github.com/kyverno/kyverno/pkg/d4f" "github.com/kyverno/kyverno/pkg/engine/apicall" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/globalcontext/store" @@ -122,7 +123,6 @@ func createrLeaderControllers( eventGenerator event.Interface, ) ([]internal.Controller, func(context.Context) error, error) { var leaderControllers []internal.Controller - certManager := certmanager.NewController( caInformer, tlsInformer, @@ -251,6 +251,7 @@ func main() { renewBefore time.Duration maxAuditWorkers int maxAuditCapacity int + maxAdmissionReports int ) flagset := flag.NewFlagSet("kyverno", flag.ExitOnError) flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.") @@ -273,6 +274,7 @@ func main() { flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration") flagset.IntVar(&maxAuditWorkers, "maxAuditWorkers", 8, "Maximum number of workers for audit policy processing") flagset.IntVar(&maxAuditCapacity, "maxAuditCapacity", 1000, "Maximum capacity of the audit policy task queue") + flagset.IntVar(&maxAdmissionReports, "maxAdmissionReports", 10000, "Maximum number of admission reports before we stop creating new ones") // config appConfig := internal.NewConfiguration( internal.WithProfiling(), @@ -515,6 +517,14 @@ func main() { setup.KyvernoClient, backgroundServiceAccountName, ) + ephrs, err := StartAdmissionReportsCounter(signalCtx, setup.MetadataClient) + if err != nil { + setup.Logger.Error(errors.New("failed to start admission reports watcher"), "failed to start admission reports watcher") + os.Exit(1) + } + reportsBreaker := d4f.NewBreaker("admission reports", func(context.Context) bool { + return ephrs.Count() > maxAdmissionReports + }) resourceHandlers := webhooksresource.NewHandlers( engine, setup.KyvernoDynamicClient, @@ -533,6 +543,7 @@ func main() { setup.Jp, maxAuditWorkers, maxAuditCapacity, + reportsBreaker, ) exceptionHandlers := webhooksexception.NewHandlers(exception.ValidationOptions{ Enabled: internal.PolicyExceptionEnabled(), diff --git a/pkg/d4f/breaker.go b/pkg/d4f/breaker.go new file mode 100644 index 000000000000..7866307d3f9a --- /dev/null +++ b/pkg/d4f/breaker.go @@ -0,0 +1,66 @@ +package d4f + +import ( + "context" + + "github.com/kyverno/kyverno/pkg/logging" + "github.com/kyverno/kyverno/pkg/metrics" + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" + sdkmetric "go.opentelemetry.io/otel/metric" +) + +type Breaker interface { + Do(context.Context, func(context.Context) error) error +} + +type breaker struct { + name string + drops sdkmetric.Int64Counter + total sdkmetric.Int64Counter + open func(context.Context) bool +} + +func NewBreaker(name string, open func(context.Context) bool) *breaker { + logger := logging.WithName("cricuit-breaker") + meter := otel.GetMeterProvider().Meter(metrics.MeterName) + drops, err := meter.Int64Counter( + "kyverno_breaker_drops", + sdkmetric.WithDescription("track the number of times the breaker failed open and dropped"), + ) + if err != nil { + logger.Error(err, "Failed to create instrument, kyverno_breaker_drops") + } + total, err := meter.Int64Counter( + "kyverno_breaker_total", + sdkmetric.WithDescription("track number of times the breaker was invoked"), + ) + if err != nil { + logger.Error(err, "Failed to create instrument, kyverno_breaker_total") + } + return &breaker{ + name: name, + drops: drops, + total: total, + open: open, + } +} + +func (b *breaker) Do(ctx context.Context, inner func(context.Context) error) error { + attributes := sdkmetric.WithAttributes( + attribute.String("circuit_name", b.name), + ) + if b.total != nil { + b.total.Add(ctx, 1, attributes) + } + if b.open != nil && b.open(ctx) { + if b.drops != nil { + b.drops.Add(ctx, 1, attributes) + } + return nil + } + if inner == nil { + return nil + } + return inner(ctx) +} diff --git a/pkg/d4f/breaker_test.go b/pkg/d4f/breaker_test.go new file mode 100644 index 000000000000..b1b626d6b017 --- /dev/null +++ b/pkg/d4f/breaker_test.go @@ -0,0 +1,77 @@ +package d4f + +import ( + "context" + "errors" + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_breaker_Do(t *testing.T) { + type args struct { + inner func(context.Context) error + } + tests := []struct { + name string + subject *breaker + args args + wantErr bool + }{{ + name: "empty", + subject: NewBreaker("", nil), + wantErr: false, + }, { + name: "no error", + subject: NewBreaker("", nil), + args: args{ + inner: func(context.Context) error { + return nil + }, + }, + wantErr: false, + }, { + name: "with error", + subject: NewBreaker("", nil), + args: args{ + inner: func(context.Context) error { + return errors.New("foo") + }, + }, + wantErr: true, + }, { + name: "with break", + subject: NewBreaker("", func(context.Context) bool { + return true + }), + args: args{ + inner: func(context.Context) error { + return errors.New("foo") + }, + }, + wantErr: false, + }, { + name: "with metrics", + subject: &breaker{ + open: func(context.Context) bool { + return true + }, + }, + args: args{ + inner: func(context.Context) error { + return errors.New("foo") + }, + }, + wantErr: false, + }} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := tt.subject.Do(context.TODO(), tt.args.inner) + if tt.wantErr { + assert.Error(t, err) + } else { + assert.NoError(t, err) + } + }) + } +} diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 30ddf1664991..34c3b8a67088 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -17,6 +17,7 @@ import ( kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" + "github.com/kyverno/kyverno/pkg/d4f" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/policycontext" @@ -63,6 +64,7 @@ type resourceHandlers struct { admissionReports bool backgroundServiceAccountName string auditPool *pond.WorkerPool + reportsBreaker d4f.Breaker } func NewHandlers( @@ -83,6 +85,7 @@ func NewHandlers( jp jmespath.Interface, maxAuditWorkers int, maxAuditCapacity int, + reportsBreaker d4f.Breaker, ) webhooks.ResourceHandlers { return &resourceHandlers{ engine: engine, @@ -101,6 +104,7 @@ func NewHandlers( admissionReports: admissionReports, backgroundServiceAccountName: backgroundServiceAccountName, auditPool: pond.New(maxAuditWorkers, maxAuditCapacity, pond.Strategy(pond.Lazy())), + reportsBreaker: reportsBreaker, } } @@ -120,7 +124,19 @@ func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, req logger.V(4).Info("processing policies for validate admission request", "validate", len(policies), "mutate", len(mutatePolicies), "generate", len(generatePolicies)) - vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.engine, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig, h.configuration, h.nsLister) + vh := validation.NewValidationHandler( + logger, + h.kyvernoClient, + h.engine, + h.pCache, + h.pcBuilder, + h.eventGen, + h.admissionReports, + h.metricsConfig, + h.configuration, + h.nsLister, + h.reportsBreaker, + ) var wg sync.WaitGroup var ok bool var msg string @@ -182,7 +198,16 @@ func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, reque logger.Error(err, "failed to build policy context") return admissionutils.Response(request.UID, err) } - ivh := imageverification.NewImageVerificationHandler(logger, h.kyvernoClient, h.engine, h.eventGen, h.admissionReports, h.configuration, h.nsLister) + ivh := imageverification.NewImageVerificationHandler( + logger, + h.kyvernoClient, + h.engine, + h.eventGen, + h.admissionReports, + h.configuration, + h.nsLister, + h.reportsBreaker, + ) imagePatches, imageVerifyWarnings, err := ivh.Handle(ctx, newRequest, verifyImagesPolicies, policyContext) if err != nil { logger.Error(err, "image verification failed") diff --git a/pkg/webhooks/resource/imageverification/handler.go b/pkg/webhooks/resource/imageverification/handler.go index 6c2d241dfa95..1e726159a6c4 100644 --- a/pkg/webhooks/resource/imageverification/handler.go +++ b/pkg/webhooks/resource/imageverification/handler.go @@ -9,6 +9,7 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" "github.com/kyverno/kyverno/pkg/config" + "github.com/kyverno/kyverno/pkg/d4f" "github.com/kyverno/kyverno/pkg/engine" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/mutate/patch" @@ -39,6 +40,7 @@ type imageVerificationHandler struct { admissionReports bool cfg config.Configuration nsLister corev1listers.NamespaceLister + reportsBreaker d4f.Breaker } func NewImageVerificationHandler( @@ -49,6 +51,7 @@ func NewImageVerificationHandler( admissionReports bool, cfg config.Configuration, nsLister corev1listers.NamespaceLister, + reportsBreaker d4f.Breaker, ) ImageVerificationHandler { return &imageVerificationHandler{ kyvernoClient: kyvernoClient, @@ -58,6 +61,7 @@ func NewImageVerificationHandler( admissionReports: admissionReports, cfg: cfg, nsLister: nsLister, + reportsBreaker: reportsBreaker, } } @@ -152,7 +156,7 @@ func (v *imageVerificationHandler) handleAudit( ctx context.Context, resource unstructured.Unstructured, request admissionv1.AdmissionRequest, - namespaceLabels map[string]string, + _ map[string]string, engineResponses ...engineapi.EngineResponse, ) { createReport := v.admissionReports @@ -175,7 +179,10 @@ func (v *imageVerificationHandler) handleAudit( if createReport { report := reportutils.BuildAdmissionReport(resource, request, engineResponses...) if len(report.GetResults()) > 0 { - _, err := reportutils.CreateReport(context.Background(), report, v.kyvernoClient) + err := v.reportsBreaker.Do(ctx, func(ctx context.Context) error { + _, err := reportutils.CreateReport(context.Background(), report, v.kyvernoClient) + return err + }) if err != nil { v.log.Error(err, "failed to create report") } diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index c0912a434d35..b98658aa6a57 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -9,6 +9,7 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/client/clientset/versioned" "github.com/kyverno/kyverno/pkg/config" + "github.com/kyverno/kyverno/pkg/d4f" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/policycontext" "github.com/kyverno/kyverno/pkg/event" @@ -45,6 +46,7 @@ func NewValidationHandler( metrics metrics.MetricsConfigManager, cfg config.Configuration, nsLister corev1listers.NamespaceLister, + reportsBreaker d4f.Breaker, ) ValidationHandler { return &validationHandler{ log: log, @@ -57,6 +59,7 @@ func NewValidationHandler( metrics: metrics, cfg: cfg, nsLister: nsLister, + reportsBreaker: reportsBreaker, } } @@ -71,6 +74,7 @@ type validationHandler struct { metrics metrics.MetricsConfigManager cfg config.Configuration nsLister corev1listers.NamespaceLister + reportsBreaker d4f.Breaker } func (v *validationHandler) HandleValidationEnforce( @@ -225,7 +229,10 @@ func (v *validationHandler) createReports( ) error { report := reportutils.BuildAdmissionReport(resource, request.AdmissionRequest, engineResponses...) if len(report.GetResults()) > 0 { - _, err := reportutils.CreateReport(ctx, report, v.kyvernoClient) + err := v.reportsBreaker.Do(ctx, func(ctx context.Context) error { + _, err := reportutils.CreateReport(ctx, report, v.kyvernoClient) + return err + }) if err != nil { return err } From 122b3a36cff39b329c65863d511e7472bcfd9a56 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 07:33:37 +0000 Subject: [PATCH 09/10] chore(deps): bump kyverno/action-install-chainsaw from 0.2.4 to 0.2.5 (#10532) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.2.4 to 0.2.5. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](https://github.com/kyverno/action-install-chainsaw/compare/dd64b5d7b2b7d36fdf701d48ac8b216aa94414db...573a9c636f7c586f86ecb9de9674176daf80ee29) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/conformance.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index d8e625f09546..817910b252cf 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -128,7 +128,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -197,7 +197,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -271,7 +271,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -340,7 +340,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -413,7 +413,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -489,7 +489,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -564,7 +564,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -643,7 +643,7 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster and setup Sigstore Scaffolding uses: sigstore/scaffolding/actions/setup@fb8d1817d2571303daf88f49d3a23daeb7474e84 @@ -733,7 +733,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 @@ -842,7 +842,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 - name: Download kyverno CLI archive uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: @@ -967,7 +967,7 @@ jobs: with: name: kubectl-kyverno - name: Install chainsaw - uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + uses: kyverno/action-install-chainsaw@573a9c636f7c586f86ecb9de9674176daf80ee29 # v0.2.5 # create cluster - name: Create kind cluster uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 From cd6988d1e2fa44128084fb3f8c20b2fd22c56115 Mon Sep 17 00:00:00 2001 From: Husni Alhamdani Date: Tue, 25 Jun 2024 11:24:35 +0200 Subject: [PATCH 10/10] fix: reset mutable fields orphandownstream (#10478) * fix: reset mutable fields orphandownstream Signed-off-by: Husni Alhamdani * fix: reset mutable fields orphandownstream Signed-off-by: Husni Alhamdani * fix: reset mutable fields orphandownstream Signed-off-by: Husni Alhamdani --------- Signed-off-by: Husni Alhamdani Co-authored-by: shuting --- pkg/validation/policy/generate.go | 1 + .../chainsaw-test.yaml | 46 ++++++++++++++++--- ...4-error-1-1.yaml => configmap-assert.yaml} | 0 ...step-02-assert-1-1.yaml => configmap.yaml} | 0 ...-step-02-apply-1-1.yaml => namespace.yaml} | 0 ...p-01-apply-1-1.yaml => policy-orphan.yaml} | 0 ...p-01-assert-1-1.yaml => policy-ready.yaml} | 0 .../policy.yaml | 36 +++++++++++++++ .../validation/clusterpolicy/orphan/README.md | 12 +++++ .../clusterpolicy/orphan/chainsaw-test.yaml | 19 ++++++++ .../clusterpolicy/orphan/policy-assert.yaml | 9 ++++ .../orphan/policy-with-orphan.yaml | 33 +++++++++++++ .../clusterpolicy/orphan/policy.yaml | 33 +++++++++++++ 13 files changed, 183 insertions(+), 6 deletions(-) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-04-error-1-1.yaml => configmap-assert.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-02-assert-1-1.yaml => configmap.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-02-apply-1-1.yaml => namespace.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-01-apply-1-1.yaml => policy-orphan.yaml} (100%) rename test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/{chainsaw-step-01-assert-1-1.yaml => policy-ready.yaml} (100%) create mode 100755 test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml create mode 100644 test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml diff --git a/pkg/validation/policy/generate.go b/pkg/validation/policy/generate.go index 7634a041e863..ce7ddc5dd03c 100644 --- a/pkg/validation/policy/generate.go +++ b/pkg/validation/policy/generate.go @@ -51,6 +51,7 @@ func resetMutableFields(rule kyvernov1.Rule) *kyvernov1.Rule { rule.DeepCopyInto(new) new.Generation.Synchronize = true new.Generation.SetData(nil) + new.Generation.OrphanDownstreamOnPolicyDelete = true return new } diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml index 33ac3d245149..6277148d568f 100755 --- a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-test.yaml @@ -2,22 +2,56 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: creationTimestamp: null - name: cpol-data-sync-delete-policy + name: cpol-data-sync-delete-policy-with-orphan spec: steps: - name: step-01 try: - apply: - file: chainsaw-step-01-apply-1-1.yaml + file: policy.yaml - assert: - file: chainsaw-step-01-assert-1-1.yaml + file: policy-ready.yaml - name: step-02 try: - apply: - file: chainsaw-step-02-apply-1-1.yaml + file: namespace.yaml - assert: - file: chainsaw-step-02-assert-1-1.yaml + file: configmap.yaml - name: step-03 + try: + - delete: + ref: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + name: cpol-data-sync-orphan-downstream-delete-policy + - error: + file: configmap-assert.yaml + - name: step-04 + try: + - delete: + ref: + apiVersion: v1 + kind: Namespace + name: cpol-data-sync-orphan-downstream-delete-policy-ns + - name: step-05 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-06 + try: + - apply: + file: policy-orphan.yaml + - assert: + file: policy-ready.yaml + - name: step-07 + try: + - apply: + file: namespace.yaml + - assert: + file: configmap.yaml + - name: step-08 try: - delete: ref: @@ -25,4 +59,4 @@ spec: kind: ClusterPolicy name: cpol-data-sync-orphan-downstream-delete-policy - assert: - file: chainsaw-step-02-assert-1-1.yaml + file: configmap.yaml \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-04-error-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap-assert.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-assert-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/configmap.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-02-apply-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/namespace.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-apply-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-orphan.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml similarity index 100% rename from test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/chainsaw-step-01-assert-1-1.yaml rename to test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy-ready.yaml diff --git a/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml new file mode 100755 index 000000000000..d5660a15c9f0 --- /dev/null +++ b/test/conformance/chainsaw/generate/clusterpolicy/standard/data/sync/cpol-data-sync-orphan-downstream-delete-policy/policy.yaml @@ -0,0 +1,36 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-data-sync-orphan-downstream-delete-policy +spec: + generateExisting: false + rules: + - exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + apiVersion: v1 + data: + data: + KAFKA_ADDRESS: 192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092 + ZK_ADDRESS: 192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181 + kind: ConfigMap + metadata: + labels: + somekey: somevalue + kind: ConfigMap + name: zk-kafka-address + namespace: '{{request.object.metadata.name}}' + synchronize: true + orphanDownstreamOnPolicyDelete: false + match: + any: + - resources: + kinds: + - Namespace + name: cpol-data-sync-delete-rule diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md new file mode 100644 index 000000000000..df4b297ffd35 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/README.md @@ -0,0 +1,12 @@ +## Description + +This test ensures that a generate policy with `orphanDownstreamOnPolicyDelete` can be updated on existing policy. + +## Expected Behavior + +The test fails if the `orphanDownstreamOnPolicyDelete` can't be updated, otherwise passes. + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/10464 \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml new file mode 100644 index 000000000000..5005f5aa4993 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: update-orphan +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - apply: + file: policy-with-orphan.yaml + - assert: + file: policy-assert.yaml diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml new file mode 100644 index 000000000000..8813628e701c --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-orphan +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml new file mode 100644 index 000000000000..81540b397d62 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy-with-orphan.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-orphan +spec: + rules: + - name: deny-all-traffic + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + orphanDownstreamOnPolicyDelete: true + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml new file mode 100644 index 000000000000..98d55f9c92e8 --- /dev/null +++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/orphan/policy.yaml @@ -0,0 +1,33 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: generate-update-orphan +spec: + rules: + - name: deny-all-traffic + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + orphanDownstreamOnPolicyDelete: false + kind: NetworkPolicy + apiVersion: networking.k8s.io/v1 + name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" + data: + spec: + # select all pods in the namespace + podSelector: {} + policyTypes: + - Ingress + - Egress \ No newline at end of file