Skip to content

Commit

Permalink
feat: add kyverno json support to validation rule (kyverno#10763)
Browse files Browse the repository at this point in the history 
* feat: add kyverno json support to validation rule

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* v2beta1

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* validation

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* engine handler

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* bindings

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* context functions

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

* better bindings

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

---------

Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
@eddycharly
eddycharly authored Aug 2, 2024
1 parent 5c04256 commit fc694bc
Show file tree
Hide file tree
Showing 27 changed files with 499 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/conformance.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ jobs:
- name: v1.30
version: v1.30.0
tests:
- ^assert$
- ^autogen$
- ^background-only$
- ^cleanup$
Expand Down
8 changes: 8 additions & 0 deletions api/kyverno/v1/common_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"encoding/json"
"fmt"

kjson "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
"github.com/kyverno/kyverno/api/kyverno"
"github.com/kyverno/kyverno/pkg/engine/variables/regex"
"github.com/kyverno/kyverno/pkg/pss/utils"
Expand All @@ -19,6 +20,9 @@ import (
"k8s.io/pod-security-admission/api"
)

// AssertionTree defines a kyverno-json assertion tree.
type AssertionTree = kjson.Any

// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
// +kubebuilder:validation:Enum=Ignore;Fail
type FailurePolicyType string
Expand Down Expand Up @@ -495,6 +499,10 @@ type Validation struct {
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
// +optional
CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`

// Assert defines a kyverno-json assertion tree.
// +optional
Assert AssertionTree `json:"assert"`
}

// PodSecurity applies exemptions for Kubernetes Pod Security admission
Expand Down
1 change: 1 addition & 0 deletions api/kyverno/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions api/kyverno/v2beta1/common_types.go
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,14 @@
package v2beta1

import (
kjson "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
)

// AssertionTree defines a kyverno-json assertion tree.
type AssertionTree = kjson.Any

// Validation defines checks to be performed on matching resources.
type Validation struct {
// ValidationFailureAction defines if a validation policy rule violation should block
Expand Down Expand Up @@ -55,6 +59,10 @@ type Validation struct {
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
// +optional
CEL *kyvernov1.CEL `json:"cel,omitempty" yaml:"cel,omitempty"`

// Assert defines a kyverno-json assertion tree.
// +optional
Assert AssertionTree `json:"assert"`
}

// ConditionOperator is the operation performed on condition key and value.
Expand Down
1 change: 1 addition & 0 deletions api/kyverno/v2beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2374,6 +2374,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -6720,6 +6724,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -10815,6 +10824,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -15219,6 +15232,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down
18 changes: 18 additions & 0 deletions charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2375,6 +2375,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -6722,6 +6726,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -10818,6 +10827,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -15222,6 +15235,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down
18 changes: 18 additions & 0 deletions cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2368,6 +2368,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -6714,6 +6718,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -10809,6 +10818,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -15213,6 +15226,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down
18 changes: 18 additions & 0 deletions cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2369,6 +2369,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -6716,6 +6720,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -10812,6 +10821,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -15216,6 +15229,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down
18 changes: 18 additions & 0 deletions config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2368,6 +2368,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -6714,6 +6718,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -10809,6 +10818,10 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the Common
Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down Expand Up @@ -15213,6 +15226,11 @@ spec:
AnyPattern specifies list of validation patterns. At least one of the patterns
must be satisfied for the validation rule to succeed.
x-kubernetes-preserve-unknown-fields: true
assert:
description: Assert defines a kyverno-json assertion
tree.
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
description: CEL allows validation checks using the
Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
Expand Down
Loading

0 comments on commit fc694bc

Please sign in to comment.