Skip to content

Commit

Permalink
Merge branch 'main' into doc-fix
Browse files Browse the repository at this point in the history
  • Loading branch information
@realshuting
realshuting authored Jul 21, 2023
2 parents 9cd6342 + 69cb254 commit d4fe2e2
Show file tree
Hide file tree
Showing 32 changed files with 268 additions and 44 deletions.
2 changes: 2 additions & 0 deletions .nancy-ignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,5 @@ CVE-2021-28235 until=2023-07-31
CVE-2023-0296 until=2023-07-31
# golang/k8s.io/[email protected]
CVE-2020-8561 until=2023-07-31
# golang/github.com/tektoncd/[email protected]
CVE-2023-37264 until=2023-07-31
2 changes: 2 additions & 0 deletions charts/kyverno/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,5 @@ annotations:
description: change to enable webhook cleanup hook by default
- kind: added
description: allow pod labels for cleanup jobs
- kind: added
description: allow nodeSelector for cleanup jobs
2 changes: 2 additions & 0 deletions charts/kyverno/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -650,6 +650,7 @@ The chart values are organised per component.
| cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.admissionReports.resources | object | `{}` | Job resources |
| cleanupJobs.admissionReports.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.admissionReports.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.admissionReports.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.admissionReports.podLabels | object | `{}` | Pod labels |
| cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob |
Expand All @@ -665,6 +666,7 @@ The chart values are organised per component.
| cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| cleanupJobs.clusterAdmissionReports.resources | object | `{}` | Job resources |
| cleanupJobs.clusterAdmissionReports.tolerations | list | `[]` | List of node taints to tolerate |
| cleanupJobs.clusterAdmissionReports.nodeSelector | object | `{}` | Node labels for pod assignment |
| cleanupJobs.clusterAdmissionReports.podAnnotations | object | `{}` | Pod Annotations |
| cleanupJobs.clusterAdmissionReports.podLabels | object | `{}` | Pod Labels |

Expand Down
7 changes: 7 additions & 0 deletions charts/kyverno/ci/cleanupJobs-values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
cleanupJobs:
admissionReports:
nodeSelector:
kubernetes.io/os: linux
clusterAdmissionReports:
nodeSelector:
kubernetes.io/os: linux
4 changes: 4 additions & 0 deletions charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,8 @@ spec:
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.admissionReports.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- end -}}
4 changes: 4 additions & 0 deletions charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,8 @@ spec:
tolerations:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cleanupJobs.clusterAdmissionReports.nodeSelector }}
nodeSelector:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- end -}}
6 changes: 6 additions & 0 deletions charts/kyverno/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -448,6 +448,9 @@ cleanupJobs:
# -- List of node taints to tolerate
tolerations: []

# -- Node labels for pod assignment
nodeSelector: {}

# -- Pod Annotations
podAnnotations: {}

Expand Down Expand Up @@ -507,6 +510,9 @@ cleanupJobs:
# -- List of node taints to tolerate
tolerations: []

# -- Node labels for pod assignment
nodeSelector: {}

# -- Pod Annotations
podAnnotations: {}

Expand Down
16 changes: 8 additions & 8 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ require (
go.opentelemetry.io/otel/sdk v1.16.0
go.opentelemetry.io/otel/sdk/metric v0.39.0
go.opentelemetry.io/otel/trace v1.16.0
go.uber.org/automaxprocs v1.5.2
go.uber.org/automaxprocs v1.5.3
go.uber.org/multierr v1.11.0
go.uber.org/zap v1.24.0
golang.org/x/crypto v0.11.0
Expand All @@ -66,14 +66,14 @@ require (
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
gotest.tools v2.2.0+incompatible
k8s.io/api v0.27.3
k8s.io/api v0.27.4
k8s.io/apiextensions-apiserver v0.27.3
k8s.io/apimachinery v0.27.3
k8s.io/apiserver v0.27.3
k8s.io/cli-runtime v0.27.3
k8s.io/client-go v0.27.3
k8s.io/apimachinery v0.27.4
k8s.io/apiserver v0.27.4
k8s.io/cli-runtime v0.27.4
k8s.io/client-go v0.27.4
k8s.io/klog/v2 v2.100.1
k8s.io/kube-aggregator v0.27.3
k8s.io/kube-aggregator v0.27.4
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f
k8s.io/pod-security-admission v0.27.3
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
Expand Down Expand Up @@ -329,7 +329,7 @@ require (
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
k8s.io/component-base v0.27.3 // indirect
k8s.io/component-base v0.27.4 // indirect
k8s.io/kubectl v0.26.3 // indirect
oras.land/oras-go/v2 v2.2.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
Expand Down
34 changes: 17 additions & 17 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1217,7 +1217,7 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
Expand Down Expand Up @@ -1502,8 +1502,8 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q=
go.uber.org/automaxprocs v1.5.2 h1:2LxUOGiR3O6tw8ui5sZa2LAaHnsviZdVOUZw4fvbnME=
go.uber.org/automaxprocs v1.5.2/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
Expand Down Expand Up @@ -2128,32 +2128,32 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
honnef.co/go/tools v0.1.4/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y=
k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg=
k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs=
k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y=
k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk=
k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs=
k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4=
k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84=
k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM=
k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs=
k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA=
k8s.io/apiserver v0.27.3 h1:AxLvq9JYtveYWK+D/Dz/uoPCfz8JC9asR5z7+I/bbQ4=
k8s.io/apiserver v0.27.3/go.mod h1:Y61+EaBMVWUBJtxD5//cZ48cHZbQD+yIyV/4iEBhhNA=
k8s.io/cli-runtime v0.27.3 h1:h592I+2eJfXj/4jVYM+tu9Rv8FEc/dyCoD80UJlMW2Y=
k8s.io/cli-runtime v0.27.3/go.mod h1:LzXud3vFFuDFXn2LIrWnscPgUiEj7gQQcYZE2UPn9Kw=
k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho=
k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE=
k8s.io/cli-runtime v0.27.4 h1:Zb0eci+58eHZNnoHhjRFc7W88s8dlG12VtIl3Nv2Hto=
k8s.io/cli-runtime v0.27.4/go.mod h1:k9Z1xiZq2xNplQmehpDquLgc+rE+pubpO1cK4al4Mlw=
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8=
k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48=
k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk=
k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc=
k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0=
k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k=
k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY=
k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c=
k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY=
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
Expand All @@ -2162,8 +2162,8 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kube-aggregator v0.27.3 h1:0o/Q30C84hHvhUef7OOTHMhO2eCySOPHKOUUrhBwpfo=
k8s.io/kube-aggregator v0.27.3/go.mod h1:zbx67NbFee9cqjbXjib89/oOyrXdOq3UYStIBGazv08=
k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc=
k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM=
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
Expand Down
19 changes: 11 additions & 8 deletions pkg/engine/utils/match.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,17 @@ func doesResourceMatchConditionBlock(
}
}

if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" &&
(resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind())) {
hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels)
if err != nil {
errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))
} else {
if !hasPassed {
errs = append(errs, fmt.Errorf("namespace selector does not match labels"))
if conditionBlock.NamespaceSelector != nil {
if resource.GetKind() == "Namespace" {
errs = append(errs, fmt.Errorf("namespace selector is not applicable for namespace resource"))
} else if resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind()) {
hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels)
if err != nil {
errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))
} else {
if !hasPassed {
errs = append(errs, fmt.Errorf("namespace selector does not match labels"))
}
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/variables/operator/allin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func (allin AllInHandler) Evaluate(key, value interface{}) bool {
switch typedKey := key.(type) {
case string:
return allin.validateValueWithStringPattern(typedKey, value)
case int, int32, int64, float32, float64:
case int, int32, int64, float32, float64, bool:
return allin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
case []interface{}:
var stringSlice []string
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/variables/operator/allnotin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ func (allnin AllNotInHandler) Evaluate(key, value interface{}) bool {
switch typedKey := key.(type) {
case string:
return allnin.validateValueWithStringPattern(typedKey, value)
case int, int32, int64, float32, float64:
case int, int32, int64, float32, float64, bool:
return allnin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
case []interface{}:
var stringSlice []string
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/variables/operator/anyin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func (anyin AnyInHandler) Evaluate(key, value interface{}) bool {
switch typedKey := key.(type) {
case string:
return anyin.validateValueWithStringPattern(typedKey, value)
case int, int32, int64, float32, float64:
case int, int32, int64, float32, float64, bool:
return anyin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
case []interface{}:
var stringSlice []string
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/variables/operator/anynotin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ func (anynin AnyNotInHandler) Evaluate(key, value interface{}) bool {
switch typedKey := key.(type) {
case string:
return anynin.validateValueWithStringPattern(typedKey, value)
case int, int32, int64, float32, float64:
case int, int32, int64, float32, float64, bool:
return anynin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
case []interface{}:
var stringSlice []string
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/variables/operator/in.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ func (in InHandler) Evaluate(key, value interface{}) bool {
switch typedKey := key.(type) {
case string:
return in.validateValueWithStringPattern(typedKey, value)
case int, int32, int64, float32, float64:
case int, int32, int64, float32, float64, bool:
return in.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
case []interface{}:
var stringSlice []string
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/variables/operator/notin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func (nin NotInHandler) Evaluate(key, value interface{}) bool {
switch typedKey := key.(type) {
case string:
return nin.validateValueWithStringPattern(typedKey, value)
case int, int32, int64, float32, float64:
case int, int32, int64, float32, float64, bool:
return nin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
case []interface{}:
var stringSlice []string
Expand Down
13 changes: 11 additions & 2 deletions pkg/openapi/manager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,11 +133,20 @@ func (o *manager) ValidatePolicyMutation(policy kyvernov1.PolicyInterface) error
}

for kind, rules := range kindToRules {
if kind == "CustomResourceDefinition" {
continue
}
newPolicy := policy.CreateDeepCopy()
spec := newPolicy.GetSpec()
spec.SetRules(rules)
k, _ := o.gvkToDefinitionName.Get(kind)
d, _ := o.definitions.Get(k)
k, ok := o.gvkToDefinitionName.Get(kind)
if !ok {
continue
}
d, ok := o.definitions.Get(k)
if !ok {
continue
}
resource, _ := o.generateEmptyResource(d).(map[string]interface{})
if len(resource) == 0 {
o.logger.V(2).Info("unable to validate resource. OpenApi definition not found", "kind", kind)
Expand Down
12 changes: 10 additions & 2 deletions pkg/validation/policy/validate.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -491,11 +491,19 @@ func cleanup(policy kyvernov1.PolicyInterface) kyvernov1.PolicyInterface {
policy.SetAnnotations(ann)
}
if policy.GetNamespace() == "" {
pol := policy.(*kyvernov1.ClusterPolicy)
var pol *kyvernov1.ClusterPolicy
var ok bool
if pol, ok = policy.(*kyvernov1.ClusterPolicy); !ok {
return policy
}
pol.Status.Autogen.Rules = nil
return pol
} else {
pol := policy.(*kyvernov1.Policy)
var pol *kyvernov1.Policy
var ok bool
if pol, ok = policy.(*kyvernov1.Policy); !ok {
return policy
}
pol.Status.Autogen.Rules = nil
return pol
}
Expand Down
42 changes: 42 additions & 0 deletions test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Security
policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom
Resource Definition created by the subjects in the xteam Azure AD group
and adds the label "createdByXteam: true".'
policies.kyverno.io/subject: RBAC
policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad
group
policy.reporter.kyverno.io/minimal: minimal
generation: 1
labels:
aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: ""
name: mutate-xteam-namespace-scoped-crds
spec:
background: false
rules:
- match:
all:
- resources:
kinds:
- CustomResourceDefinition
subjects:
- kind: Group
name: aad:9b9had99-6k66-2222-9999-8aadb888e888
mutate:
patchStrategicMerge:
metadata:
labels:
createdByXteam: "true"
name: mutate-xteams-crd-creation
preconditions:
all:
- key: '{{request.operation}}'
operator: Equals
value: CREATE
- key: '{{ request.object.spec.scope }}'
operator: Equals
value: Namespaced
validationFailureAction: audit
11 changes: 11 additions & 0 deletions ...formance/kuttl/policy-validation/cluster-policy/schema-validation-crd/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
## Description

This test ensures the schema validation is skipped for CustomResourceDefinition.

## Expected Behavior

The Pod creation should be allowed.

## Reference Issue(s)

https://github.com/kyverno/kyverno/issues/7844
9 changes: 9 additions & 0 deletions ...nformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-xteam-namespace-scoped-crds
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
0 ...elector-with-wildcard-kind/02-policy.yaml → ...elector-with-wildcard-kind/01-policy.yaml
View file
File renamed without changes.
0 ...ns-selector-with-wildcard-kind/01-ns.yaml → ...ns-selector-with-wildcard-kind/02-ns.yaml
View file
File renamed without changes.
13 changes: 13 additions & 0 deletions ...alidate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader-fake
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
Loading

0 comments on commit d4fe2e2

Please sign in to comment.