chore: merge main

Signed-off-by: ShutingZhao <[email protected]>

.github/workflows/clean-stale-branches.yaml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Cleanup Stale Branches
-        uses: cbrgm/cleanup-stale-branches-action@03d7d18e1a5ca5663846c6399e0614941d4985c3 # v1.1.19
+        uses: cbrgm/cleanup-stale-branches-action@3a038290b56a3936cb9666a3f48adb3b6af7e583 # v1.1.20
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}

.github/workflows/conformance.yaml

@@ -94,6 +94,7 @@ jobs:
           - name: v1.30
             version: v1.30.0
         tests:
+          - ^assert$
           - ^autogen$
           - ^background-only$
           - ^cleanup$

Makefile

@@ -35,7 +35,6 @@ USE_CONFIG           ?= standard
 TOOLS_DIR                          ?= $(PWD)/.tools
 KIND                               ?= $(TOOLS_DIR)/kind
 KIND_VERSION                       ?= v0.23.0
-CONTROLLER_GEN                     ?= $(TOOLS_DIR)/controller-gen
 CONTROLLER_GEN_VERSION             ?= v0.15.0
 CLIENT_GEN                         ?= $(TOOLS_DIR)/client-gen
 LISTER_GEN                         ?= $(TOOLS_DIR)/lister-gen
@@ -61,7 +60,7 @@ HELM_DOCS_VERSION                  ?= v1.11.0
 KO                                 ?= $(TOOLS_DIR)/ko
 KO_VERSION                         ?= v0.14.1
 KUBE_VERSION                       ?= v1.25.0
-TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(DEFAULTER_GEN) $(APPLYCONFIGURATION_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO)
+TOOLS                              := $(KIND) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(DEFAULTER_GEN) $(APPLYCONFIGURATION_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO)
 ifeq ($(GOOS), darwin)
 SED                                := gsed
 else
@@ -73,10 +72,6 @@ $(KIND):
 	@echo Install kind... >&2
 	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
 
-$(CONTROLLER_GEN):
-	@echo Install controller-gen... >&2
-	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION)
-
 $(CLIENT_GEN):
 	@echo Install client-gen... >&2
 	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/client-gen@$(CODE_GEN_VERSION)
@@ -503,28 +498,28 @@ codegen-client-all: codegen-client-informers
 codegen-client-all: codegen-client-wrappers
 
 .PHONY: codegen-crds-kyverno
-codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
+codegen-crds-kyverno: ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
 	@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
-	@$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno
+	@go run ./hack/controller-gen -- paths=./api/kyverno/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
 
 .PHONY: codegen-crds-policyreport
-codegen-crds-policyreport: $(CONTROLLER_GEN) ## Generate policy reports CRDs
+codegen-crds-policyreport: ## Generate policy reports CRDs
 	@echo Generate policy reports crds... >&2
 	@rm -rf $(CRDS_PATH)/policyreport && mkdir -p $(CRDS_PATH)/policyreport
-	@$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport
+	@go run ./hack/controller-gen -- paths=./api/policyreport/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/policyreport
 
 .PHONY: codegen-crds-reports
-codegen-crds-reports: $(CONTROLLER_GEN) ## Generate reports CRDs
+codegen-crds-reports: ## Generate reports CRDs
 	@echo Generate reports crds... >&2
 	@rm -rf $(CRDS_PATH)/reports && mkdir -p $(CRDS_PATH)/reports
-	@$(CONTROLLER_GEN) paths=./api/reports/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/reports
+	@go run ./hack/controller-gen -- paths=./api/reports/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/reports
 
 .PHONY: codegen-crds-cli
-codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
+codegen-crds-cli: ## Generate CLI CRDs
 	@echo Generate cli crds... >&2
 	@rm -rf ${PWD}/cmd/cli/kubectl-kyverno/config/crds && mkdir -p ${PWD}/cmd/cli/kubectl-kyverno/config/crds
-	@$(CONTROLLER_GEN) paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1 output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
+	@go run ./hack/controller-gen -- paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
 
 .PHONY: codegen-crds-all
 codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
@@ -601,6 +596,7 @@ define generate_crd
 		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- with .Values.annotations }}' \
  		| $(SED) -e '/^  annotations:/i \ \ labels:' \
 		| $(SED) -e '/^  labels:/a \ \ \ \ {{- include "kyverno.crds.labels" . | nindent 4 }}' \
+		| $(SED) -e 's/(devel)/$(CONTROLLER_GEN_VERSION)/' \
  		>> ./charts/kyverno/charts/crds/templates/$(3)/$(1)
 	@echo "{{- end }}" >> ./charts/kyverno/charts/crds/templates/$(3)/$(1)
 endef

api/kyverno/v1/common_types.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	kjson "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
 	"github.com/kyverno/kyverno/api/kyverno"
 	"github.com/kyverno/kyverno/pkg/engine/variables/regex"
 	"github.com/kyverno/kyverno/pkg/pss/utils"
@@ -19,6 +20,9 @@ import (
 	"k8s.io/pod-security-admission/api"
 )
 
+// AssertionTree defines a kyverno-json assertion tree.
+type AssertionTree = kjson.Any
+
 // FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
 // +kubebuilder:validation:Enum=Ignore;Fail
 type FailurePolicyType string
@@ -495,6 +499,10 @@ type Validation struct {
 	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
 	// +optional
 	CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
+
+	// Assert defines a kyverno-json assertion tree.
+	// +optional
+	Assert AssertionTree `json:"assert"`
 }
 
 // PodSecurity applies exemptions for Kubernetes Pod Security admission
@@ -650,15 +658,24 @@ type Deny struct {
 	// of conditions (without `any` or `all` statements) is also supported for backwards compatibility
 	// but will be deprecated in the next major release.
 	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
-	RawAnyAllConditions *apiextv1.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyAllConditions *ConditionsWrapper `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }
 
-func (d *Deny) GetAnyAllConditions() apiextensions.JSON {
-	return FromJSON(d.RawAnyAllConditions)
+func (d *Deny) GetAnyAllConditions() any {
+	if d.RawAnyAllConditions == nil {
+		return nil
+	}
+	return d.RawAnyAllConditions.Conditions
 }
 
-func (d *Deny) SetAnyAllConditions(in apiextensions.JSON) {
-	d.RawAnyAllConditions = ToJSON(in)
+func (d *Deny) SetAnyAllConditions(in any) {
+	var new *ConditionsWrapper
+	if in != nil {
+		new = &ConditionsWrapper{in}
+	}
+	d.RawAnyAllConditions = new
 }
 
 // ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.

api/kyverno/v1/resource_spec_types.go

@@ -3,8 +3,6 @@ package v1
 import (
 	"strings"
 
-	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
-	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 )
@@ -54,9 +52,14 @@ type TargetResourceSpec struct {
 	// will be deprecated in the next major release.
 	// See: https://kyverno.io/docs/writing-policies/preconditions/
 	// +optional
-	RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
 }
 
-func (r *TargetResourceSpec) GetAnyAllConditions() apiextensions.JSON {
-	return FromJSON(r.RawAnyAllConditions)
+func (r *TargetResourceSpec) GetAnyAllConditions() any {
+	if r.RawAnyAllConditions == nil {
+		return nil
+	}
+	return r.RawAnyAllConditions.Conditions
 }

api/kyverno/v1/rule_types.go

@@ -8,8 +8,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/pss/utils"
 	datautils "github.com/kyverno/kyverno/pkg/utils/data"
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
-	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
-	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -76,7 +74,9 @@ type Rule struct {
 	// will be deprecated in the next major release.
 	// See: https://kyverno.io/docs/writing-policies/preconditions/
 	// +optional
-	RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
 
 	// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
 	// set of CEL conditions. It can only be used with the validate.cel subrule
@@ -160,6 +160,11 @@ func (r *Rule) HasValidateCEL() bool {
 	return r.Validation.CEL != nil && !datautils.DeepEqual(r.Validation.CEL, &CEL{})
 }
 
+// HasValidateAssert checks for validate.assert rule
+func (r *Rule) HasValidateAssert() bool {
+	return !datautils.DeepEqual(r.Validation.Assert, AssertionTree{})
+}
+
 // HasValidate checks for validate rule
 func (r *Rule) HasValidate() bool {
 	return !datautils.DeepEqual(r.Validation, Validation{})
@@ -181,12 +186,19 @@ func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, o
 	return r.Generation.GetTypeAndSyncAndOrphanDownstream()
 }
 
-func (r *Rule) GetAnyAllConditions() apiextensions.JSON {
-	return FromJSON(r.RawAnyAllConditions)
+func (r *Rule) GetAnyAllConditions() any {
+	if r.RawAnyAllConditions == nil {
+		return nil
+	}
+	return r.RawAnyAllConditions.Conditions
 }
 
-func (r *Rule) SetAnyAllConditions(in apiextensions.JSON) {
-	r.RawAnyAllConditions = ToJSON(in)
+func (r *Rule) SetAnyAllConditions(in any) {
+	var new *ConditionsWrapper
+	if in != nil {
+		new = &ConditionsWrapper{in}
+	}
+	r.RawAnyAllConditions = new
 }
 
 // ValidateRuleType checks only one type of rule is defined per rule

api/kyverno/v1/wrappers.go

@@ -2,6 +2,7 @@ package v1
 
 import (
 	"encoding/json"
+	"fmt"
 
 	"github.com/jinzhu/copier"
 )
@@ -77,3 +78,48 @@ func (a *ForEachMutationWrapper) UnmarshalJSON(data []byte) error {
 	a.Items = res
 	return nil
 }
+
+// ConditionsWrapper contains either the deprecated list of Conditions or the new AnyAll Conditions.
+// +k8s:deepcopy-gen=false
+type ConditionsWrapper struct {
+	// Conditions is a list of conditions that must be satisfied for the rule to be applied.
+	// +optional
+	Conditions any `json:"-"`
+}
+
+func (in *ConditionsWrapper) DeepCopyInto(out *ConditionsWrapper) {
+	if err := copier.Copy(out, in); err != nil {
+		panic("deep copy failed")
+	}
+}
+
+func (in *ConditionsWrapper) DeepCopy() *ConditionsWrapper {
+	if in == nil {
+		return nil
+	}
+	out := new(ConditionsWrapper)
+	in.DeepCopyInto(out)
+	return out
+}
+
+func (a *ConditionsWrapper) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.Conditions)
+}
+
+func (a *ConditionsWrapper) UnmarshalJSON(data []byte) error {
+	var err error
+
+	var kyvernoOldConditions []Condition
+	if err = json.Unmarshal(data, &kyvernoOldConditions); err == nil {
+		a.Conditions = kyvernoOldConditions
+		return nil
+	}
+
+	var kyvernoAnyAllConditions AnyAllConditions
+	if err = json.Unmarshal(data, &kyvernoAnyAllConditions); err == nil {
+		a.Conditions = kyvernoAnyAllConditions
+		return nil
+	}
+
+	return fmt.Errorf("failed to unmarshal Conditions")
+}

api/kyverno/v2beta1/common_types.go

@@ -1,10 +1,14 @@
 package v2beta1
 
 import (
+	kjson "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
 	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 )
 
+// AssertionTree defines a kyverno-json assertion tree.
+type AssertionTree = kjson.Any
+
 // Validation defines checks to be performed on matching resources.
 type Validation struct {
 	// ValidationFailureAction defines if a validation policy rule violation should block
@@ -55,6 +59,10 @@ type Validation struct {
 	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
 	// +optional
 	CEL *kyvernov1.CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
+
+	// Assert defines a kyverno-json assertion tree.
+	// +optional
+	Assert AssertionTree `json:"assert"`
 }
 
 // ConditionOperator is the operation performed on condition key and value.