GO-2024-3230: Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

v1alpha1

package

v1.11.2-rc.1 Latest Latest Go to latest Published: Dec 22, 2023 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kyverno/kyverno

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type NamespaceSelector ¶

type NamespaceSelector struct {
	// Name is the namespace name
	Name string `json:"name"`

	// Labels are the labels for the given namespace
	Labels map[string]string `json:"labels"`
}

NamespaceSelector declares labels for a given namespace

type Policy ¶

type Policy struct {
	// Name is the policy name
	Name string `json:"name"`

	// Resources are values for specific resources
	Resources []Resource `json:"resources,omitempty"`

	// Rules are values for specific policy rules
	Rules []Rule `json:"rules,omitempty"`
}

Policy declares values for a given policy

type Resource ¶

type Resource struct {
	// Name is the name of the resource
	Name string `json:"name"`

	// Values are the values for the given resource
	// +kubebuilder:validation:Type=object
	// +kubebuilder:pruning:PreserveUnknownFields
	// +kubebuilder:validation:Schemaless
	Values map[string]interface{} `json:"values,omitempty"`
}

Resource declares values for a given resource

type Rule ¶

type Rule struct {
	// Name is the name of the ppolicy rule
	Name string `json:"name"`

	// Values are the values for the given policy rule
	// +kubebuilder:validation:Type=object
	// +kubebuilder:pruning:PreserveUnknownFields
	// +kubebuilder:validation:Schemaless
	Values map[string]interface{} `json:"values,omitempty"`

	// ForeachValues are the foreach values for the given policy rule
	// +kubebuilder:validation:Type=object
	// +kubebuilder:pruning:PreserveUnknownFields
	// +kubebuilder:validation:Schemaless
	ForeachValues map[string][]interface{} `json:"foreachValues,omitempty"`
}

Rule declares values for a given policy rule

type Subresource ¶

type Subresource struct {
	// Subresource declares the subresource api
	Subresource metav1.APIResource `json:"subresource"`

	// ParentResource declares the parent resource api
	ParentResource metav1.APIResource `json:"parentResource"`
}

Subresource declares subresource/parent resource mapping

type Test ¶

type Test struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Name is the name of the test.
	// This field is deprecated, use `metadata.name` instead
	Name string `json:"name,omitempty"`

	// Policies are the policies to be used in the test
	Policies []string `json:"policies,omitempty"`

	// Resources are the resource to be used in the test
	Resources []string `json:"resources,omitempty"`

	// Variables is the values to be used in the test
	Variables string `json:"variables,omitempty"`

	// UserInfo is the user info to be used in the test
	UserInfo string `json:"userinfo,omitempty"`

	// Results are the results to be checked in the test
	Results []TestResult `json:"results,omitempty"`

	// Values are the values to be used in the test
	Values *ValuesSpec `json:"values,omitempty"`
}

Test declares a test

type TestResult ¶

type TestResult struct {
	TestResultBase       `json:",inline,omitempty"`
	TestResultDeprecated `json:",inline,omitempty"`

	// Resources gives us the list of resources on which the policy is going to be applied.
	Resources []string `json:"resources"`
}

TestResultBase declares a test result

type TestResultBase ¶

type TestResultBase struct {
	// Policy mentions the name of the policy.
	Policy string `json:"policy"`

	// Rule mentions the name of the rule in the policy.
	// It's required in case policy is a kyverno policy.
	// +optional
	Rule string `json:"rule,omitempty"`

	// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
	// It's required in case policy is a validating admission policy.
	// +optional
	IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"`

	// Result mentions the result that the user is expecting.
	// Possible values are pass, fail and skip.
	Result policyreportv1alpha2.PolicyResult `json:"result"`

	// Kind mentions the kind of the resource on which the policy is to be applied.
	Kind string `json:"kind"`

	// PatchedResource takes a resource configuration file in yaml format from
	// the user to compare it against the Kyverno mutated resource configuration.
	PatchedResource string `json:"patchedResource,omitempty"`

	// GeneratedResource takes a resource configuration file in yaml format from
	// the user to compare it against the Kyverno generated resource configuration.
	GeneratedResource string `json:"generatedResource,omitempty"`

	// CloneSourceResource takes the resource configuration file in yaml format
	// from the user which is meant to be cloned by the generate rule.
	CloneSourceResource string `json:"cloneSourceResource,omitempty"`
}

TestResultBase declares a test result base fields

type TestResultDeprecated ¶

type TestResultDeprecated struct {
	// Status mentions the status that the user is expecting.
	// Possible values are pass, fail and skip.
	// This is DEPRECATED, use `Result` instead.
	Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`

	// Resource mentions the name of the resource on which the policy is to be applied.
	// This is DEPRECATED, use `Resources` instead.
	Resource string `json:"resource,omitempty"`

	// Namespace mentions the namespace of the policy which has namespace scope.
	// This is DEPRECATED, use a name in the form `<namespace>/<name>` for policies and/or resources instead.
	Namespace string `json:"namespace,omitempty"`
}

TestResultBase declares a test result deprecated fields

type UserInfo ¶

type UserInfo struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// RequestInfo declares user infos
	kyvernov1beta1.RequestInfo `json:",inline"`
}

UserInfo declares user infos to be loaded by the Kyverno CLI

type Values ¶

type Values struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// ValuesSpec declares values
	ValuesSpec `json:",inline"`
}

Values declares values to be loaded by the Kyverno CLI

type ValuesSpec ¶

type ValuesSpec struct {
	// GlobalValues are the global values
	// +kubebuilder:validation:Type=object
	// +kubebuilder:pruning:PreserveUnknownFields
	// +kubebuilder:validation:Schemaless
	GlobalValues map[string]interface{} `json:"globalValues,omitempty"`

	// Policies are the policy values
	Policies []Policy `json:"policies,omitempty"`

	// NamespaceSelectors are the namespace labels
	NamespaceSelectors []NamespaceSelector `json:"namespaceSelector,omitempty"`

	// Subresources are the subresource/parent resource mappings
	Subresources []Subresource `json:"subresources,omitempty"`
}

ValuesSpec declares values to be loaded by the Kyverno CLI

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL