Skip to content

Commit

Permalink
NDEV-20176: backport allow changes for preexisting resources that vio…
Browse files Browse the repository at this point in the history 
…late policy

Signed-off-by: Ved Ratan <[email protected]>
  • Loading branch information
@VedRatan
VedRatan committed Sep 17, 2024
1 parent bacf569 commit f08af5b
Show file tree
Hide file tree
Showing 53 changed files with 41,371 additions and 151 deletions.
6 changes: 3 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools
KIND := $(TOOLS_DIR)/kind
KIND_VERSION := v0.20.0
CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen
CONTROLLER_GEN_VERSION := v0.12.0
CONTROLLER_GEN_VERSION := v0.14.0
CLIENT_GEN := $(TOOLS_DIR)/client-gen
LISTER_GEN := $(TOOLS_DIR)/lister-gen
INFORMER_GEN := $(TOOLS_DIR)/informer-gen
Expand Down Expand Up @@ -488,12 +488,12 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati
.PHONY: codegen-crds-kyverno
codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
@echo Generate kyverno crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
@$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/kyverno

.PHONY: codegen-crds-report
codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
@echo Generate policy reports crds... >&2
@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
@$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)/policyreport

.PHONY: codegen-crds-cli
codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs
Expand Down
5 changes: 5 additions & 0 deletions api/kyverno/v1/common_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,11 @@ type Validation struct {
// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
// +optional
CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`

// AllowExistingViolations allows prexisting violating resources to continue violating a policy.
// +kubebuilder:validation:Optional
// +kubebuilder:default=true
AllowExistingViolations *bool `json:"allowExistingViolations,omitempty" yaml:"allowExistingViolations,omitempty"`
}

// PodSecurity applies exemptions for Kubernetes Pod Security admission
Expand Down
11 changes: 11 additions & 0 deletions api/kyverno/v1/rule_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,17 @@ func (r *Rule) HasValidate() bool {
return !datautils.DeepEqual(r.Validation, Validation{})
}

// HasValidateAllowExistingViolations() checks for allowExisitingViolations under validate rule
func (r *Rule) HasValidateAllowExistingViolations() bool {
var allowExisitingViolations bool
if r.Validation.AllowExistingViolations == nil {
allowExisitingViolations = true
} else {
allowExisitingViolations = *r.Validation.AllowExistingViolations
}
return allowExisitingViolations
}

// HasGenerate checks for generate rule
func (r *Rule) HasGenerate() bool {
return !datautils.DeepEqual(r.Generation, Generation{})
Expand Down
5 changes: 5 additions & 0 deletions api/kyverno/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

340 changes: 340 additions & 0 deletions config/crds/kyverno/kyverno.io_admissionreports.yaml
View file

Large diffs are not rendered by default.

299 changes: 299 additions & 0 deletions config/crds/kyverno/kyverno.io_backgroundscanreports.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,299 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: backgroundscanreports.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: BackgroundScanReport
listKind: BackgroundScanReportList
plural: backgroundscanreports
shortNames:
- bgscanr
singular: backgroundscanreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.ownerReferences[0].apiVersion
name: ApiVersion
type: string
- jsonPath: .metadata.ownerReferences[0].kind
name: Kind
type: string
- jsonPath: .metadata.ownerReferences[0].name
name: Subject
type: string
- jsonPath: .spec.summary.pass
name: Pass
type: integer
- jsonPath: .spec.summary.fail
name: Fail
type: integer
- jsonPath: .spec.summary.warn
name: Warn
type: integer
- jsonPath: .spec.summary.error
name: Error
type: integer
- jsonPath: .spec.summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
name: Hash
priority: 1
type: string
name: v1alpha2
schema:
openAPIV3Schema:
description: BackgroundScanReport is the Schema for the BackgroundScanReports
API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
message:
description: Description is a short user friendly message for
the policy rule
type: string
policy:
description: Policy is the name or identifier of the policy
type: string
properties:
additionalProperties:
type: string
description: Properties provides additional information for
the policy rule
type: object
resourceSelector:
description: |-
SubjectSelector is an optional label selector for checked Kubernetes resources.
For example, a policy result may apply to all pods that match a label.
Either a Subject or a SubjectSelector can be specified.
If neither are provided, the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
resources:
description: Subjects is an optional reference to the checked
Kubernetes resources
items:
description: |-
ObjectReference contains enough information to let you inspect or modify the referred object.
---
New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular
restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
Those cannot be well described when embedded.
3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity
during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple
and the version of the actual struct is irrelevant.
5. We cannot easily change it. Because this type is embedded in many locations, updates to this type
will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used type that is well-focused on your reference.
For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: |-
If referring to a piece of an object instead of an entire object, this string
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within a pod, this would take on a value like:
"spec.containers{name}" (where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined way of
referencing a part of an object.
TODO: this design is not final and this field is subject to change in the future.
type: string
kind:
description: |-
Kind of the referent.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
name:
description: |-
Name of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
namespace:
description: |-
Namespace of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
type: string
resourceVersion:
description: |-
Specific resourceVersion to which this reference is made, if any.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
type: string
uid:
description: |-
UID of the referent.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
type: string
type: object
x-kubernetes-map-type: atomic
type: array
result:
description: Result indicates the outcome of the policy rule
execution
enum:
- pass
- fail
- warn
- error
- skip
type: string
rule:
description: Rule is the name or identifier of the rule within
the policy
type: string
scored:
description: Scored indicates if this result is scored
type: boolean
severity:
description: Severity indicates policy check result criticality
enum:
- critical
- high
- low
- medium
- info
type: string
source:
description: Source is an identifier for the policy engine that
manages this report
type: string
timestamp:
description: Timestamp indicates the time the result was found
properties:
nanos:
description: |-
Non-negative fractions of a second at nanosecond resolution. Negative
second values with fractions must still have non-negative nanos values
that count forward in time. Must be from 0 to 999,999,999
inclusive. This field may be limited in precision depending on context.
format: int32
type: integer
seconds:
description: |-
Represents seconds of UTC time since Unix epoch
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
9999-12-31T23:59:59Z inclusive.
format: int64
type: integer
required:
- nanos
- seconds
type: object
required:
- policy
type: object
type: array
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not
be evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not
selected for evaluation
type: integer
warn:
description: Warn provides the count of non-scored policies whose
requirements were not met
type: integer
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources: {}
Loading

0 comments on commit f08af5b

Please sign in to comment.