From b26d4cd21b50e500bc8248a99c652c94ec8888ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 2 Oct 2023 23:09:52 +0200 Subject: [PATCH] chore: split api files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- config/crds/json.kyverno.io_policies.yaml | 3 +- pkg/apis/v1alpha1/context_entry.go | 10 +++ pkg/apis/v1alpha1/match_resources.go | 11 +++ pkg/apis/v1alpha1/policy.go | 85 --------------------- pkg/apis/v1alpha1/policy_spec.go | 7 ++ pkg/apis/v1alpha1/resource_filter.go | 10 +++ pkg/apis/v1alpha1/resource_filters.go | 4 + pkg/apis/v1alpha1/rule.go | 27 +++++++ pkg/apis/v1alpha1/validation.go | 14 ++++ pkg/apis/v1alpha1/variable.go | 9 +++ pkg/data/crds/json.kyverno.io_policies.yaml | 3 +- 11 files changed, 94 insertions(+), 89 deletions(-) create mode 100644 pkg/apis/v1alpha1/context_entry.go create mode 100644 pkg/apis/v1alpha1/match_resources.go create mode 100644 pkg/apis/v1alpha1/policy_spec.go create mode 100644 pkg/apis/v1alpha1/resource_filter.go create mode 100644 pkg/apis/v1alpha1/resource_filters.go create mode 100644 pkg/apis/v1alpha1/rule.go create mode 100644 pkg/apis/v1alpha1/validation.go create mode 100644 pkg/apis/v1alpha1/variable.go diff --git a/config/crds/json.kyverno.io_policies.yaml b/config/crds/json.kyverno.io_policies.yaml index 54650dde..110eb455 100644 --- a/config/crds/json.kyverno.io_policies.yaml +++ b/config/crds/json.kyverno.io_policies.yaml @@ -42,8 +42,7 @@ spec: can be used during rule execution. items: description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + to a rule Context. properties: name: description: Name is the variable name. diff --git a/pkg/apis/v1alpha1/context_entry.go b/pkg/apis/v1alpha1/context_entry.go new file mode 100644 index 00000000..6f24f633 --- /dev/null +++ b/pkg/apis/v1alpha1/context_entry.go @@ -0,0 +1,10 @@ +package v1alpha1 + +// ContextEntry adds variables and data sources to a rule Context. +type ContextEntry struct { + // Name is the variable name. + Name string `json:"name"` + + // Variable defines an arbitrary JMESPath context variable that can be defined inline. + Variable *Variable `json:"variable,omitempty"` +} diff --git a/pkg/apis/v1alpha1/match_resources.go b/pkg/apis/v1alpha1/match_resources.go new file mode 100644 index 00000000..dca0ae93 --- /dev/null +++ b/pkg/apis/v1alpha1/match_resources.go @@ -0,0 +1,11 @@ +package v1alpha1 + +type MatchResources struct { + // Any allows specifying resources which will be ORed + // +optional + Any ResourceFilters `json:"any,omitempty"` + + // All allows specifying resources which will be ANDed + // +optional + All ResourceFilters `json:"all,omitempty"` +} diff --git a/pkg/apis/v1alpha1/policy.go b/pkg/apis/v1alpha1/policy.go index efbe2e2f..1fe5051d 100644 --- a/pkg/apis/v1alpha1/policy.go +++ b/pkg/apis/v1alpha1/policy.go @@ -14,88 +14,3 @@ type Policy struct { metav1.ObjectMeta `json:"metadata,omitempty"` Spec PolicySpec `json:"spec"` } - -type PolicySpec struct { - // Rules is a list of Rule instances. A Policy contains multiple rules and - // each rule can validate, mutate, or generate resources. - Rules []Rule `json:"rules,omitempty"` -} - -type Rule struct { - // Name is a label to identify the rule, It must be unique within the policy. - // +kubebuilder:validation:MaxLength=63 - Name string `json:"name"` - - // Context defines variables and data sources that can be used during rule execution. - // +optional - Context []ContextEntry `json:"context,omitempty"` - - // MatchResources defines when this policy rule should be applied. The match - // criteria can include resource information (e.g. kind, name, namespace, labels) - // and admission review request information like the user name or role. - // At least one kind is required. - MatchResources *MatchResources `json:"match,omitempty"` - - // ExcludeResources defines when this policy rule should not be applied. The exclude - // criteria can include resource information (e.g. kind, name, namespace, labels) - // and admission review request information like the name or role. - // +optional - ExcludeResources *MatchResources `json:"exclude,omitempty"` - - // Validation is used to validate matching resources. - // +optional - Validation *Validation `json:"validate,omitempty"` -} - -// ContextEntry adds variables and data sources to a rule Context. Either a -// ConfigMap reference or a APILookup must be provided. -type ContextEntry struct { - // Name is the variable name. - Name string `json:"name"` - - // Variable defines an arbitrary JMESPath context variable that can be defined inline. - Variable *Variable `json:"variable,omitempty"` -} - -// Variable defines an arbitrary JMESPath context variable that can be defined inline. -type Variable struct { - // Value is any arbitrary JSON object representable in YAML or JSON form. - // +kubebuilder:pruning:PreserveUnknownFields - // +kubebuilder:validation:Schemaless - Value interface{} `json:"value,omitempty"` -} - -type MatchResources struct { - // Any allows specifying resources which will be ORed - // +optional - Any ResourceFilters `json:"any,omitempty"` - - // All allows specifying resources which will be ANDed - // +optional - All ResourceFilters `json:"all,omitempty"` -} - -// ResourceFilters is a slice of ResourceFilter -type ResourceFilters []ResourceFilter - -// ResourceFilter allow users to "AND" or "OR" between resources -type ResourceFilter struct { - // ResourceDescription contains information about the resource being created or modified. - // +kubebuilder:validation:Type=object - // +kubebuilder:pruning:PreserveUnknownFields - // +kubebuilder:validation:Schemaless - Resource map[string]interface{} `json:"resource,omitempty"` -} - -// Validation defines checks to be performed on matching resources. -type Validation struct { - // Message specifies a custom message to be displayed on failure. - // +optional - Message string `json:"message,omitempty"` - - // Pattern specifies an overlay-style pattern used to check resources. - // +kubebuilder:validation:Type=object - // +kubebuilder:pruning:PreserveUnknownFields - // +kubebuilder:validation:Schemaless - Pattern map[string]interface{} `json:"pattern,omitempty"` -} diff --git a/pkg/apis/v1alpha1/policy_spec.go b/pkg/apis/v1alpha1/policy_spec.go new file mode 100644 index 00000000..177e1935 --- /dev/null +++ b/pkg/apis/v1alpha1/policy_spec.go @@ -0,0 +1,7 @@ +package v1alpha1 + +type PolicySpec struct { + // Rules is a list of Rule instances. A Policy contains multiple rules and + // each rule can validate, mutate, or generate resources. + Rules []Rule `json:"rules,omitempty"` +} diff --git a/pkg/apis/v1alpha1/resource_filter.go b/pkg/apis/v1alpha1/resource_filter.go new file mode 100644 index 00000000..38507332 --- /dev/null +++ b/pkg/apis/v1alpha1/resource_filter.go @@ -0,0 +1,10 @@ +package v1alpha1 + +// ResourceFilter allow users to "AND" or "OR" between resources +type ResourceFilter struct { + // ResourceDescription contains information about the resource being created or modified. + // +kubebuilder:validation:Type=object + // +kubebuilder:pruning:PreserveUnknownFields + // +kubebuilder:validation:Schemaless + Resource map[string]interface{} `json:"resource,omitempty"` +} diff --git a/pkg/apis/v1alpha1/resource_filters.go b/pkg/apis/v1alpha1/resource_filters.go new file mode 100644 index 00000000..b1168001 --- /dev/null +++ b/pkg/apis/v1alpha1/resource_filters.go @@ -0,0 +1,4 @@ +package v1alpha1 + +// ResourceFilters is a slice of ResourceFilter +type ResourceFilters []ResourceFilter diff --git a/pkg/apis/v1alpha1/rule.go b/pkg/apis/v1alpha1/rule.go new file mode 100644 index 00000000..61767df1 --- /dev/null +++ b/pkg/apis/v1alpha1/rule.go @@ -0,0 +1,27 @@ +package v1alpha1 + +type Rule struct { + // Name is a label to identify the rule, It must be unique within the policy. + // +kubebuilder:validation:MaxLength=63 + Name string `json:"name"` + + // Context defines variables and data sources that can be used during rule execution. + // +optional + Context []ContextEntry `json:"context,omitempty"` + + // MatchResources defines when this policy rule should be applied. The match + // criteria can include resource information (e.g. kind, name, namespace, labels) + // and admission review request information like the user name or role. + // At least one kind is required. + MatchResources *MatchResources `json:"match,omitempty"` + + // ExcludeResources defines when this policy rule should not be applied. The exclude + // criteria can include resource information (e.g. kind, name, namespace, labels) + // and admission review request information like the name or role. + // +optional + ExcludeResources *MatchResources `json:"exclude,omitempty"` + + // Validation is used to validate matching resources. + // +optional + Validation *Validation `json:"validate,omitempty"` +} diff --git a/pkg/apis/v1alpha1/validation.go b/pkg/apis/v1alpha1/validation.go new file mode 100644 index 00000000..e99bf80f --- /dev/null +++ b/pkg/apis/v1alpha1/validation.go @@ -0,0 +1,14 @@ +package v1alpha1 + +// Validation defines checks to be performed on matching resources. +type Validation struct { + // Message specifies a custom message to be displayed on failure. + // +optional + Message string `json:"message,omitempty"` + + // Pattern specifies an overlay-style pattern used to check resources. + // +kubebuilder:validation:Type=object + // +kubebuilder:pruning:PreserveUnknownFields + // +kubebuilder:validation:Schemaless + Pattern map[string]interface{} `json:"pattern,omitempty"` +} diff --git a/pkg/apis/v1alpha1/variable.go b/pkg/apis/v1alpha1/variable.go new file mode 100644 index 00000000..b7a430c9 --- /dev/null +++ b/pkg/apis/v1alpha1/variable.go @@ -0,0 +1,9 @@ +package v1alpha1 + +// Variable defines an arbitrary JMESPath context variable that can be defined inline. +type Variable struct { + // Value is any arbitrary JSON object representable in YAML or JSON form. + // +kubebuilder:pruning:PreserveUnknownFields + // +kubebuilder:validation:Schemaless + Value interface{} `json:"value,omitempty"` +} diff --git a/pkg/data/crds/json.kyverno.io_policies.yaml b/pkg/data/crds/json.kyverno.io_policies.yaml index 54650dde..110eb455 100644 --- a/pkg/data/crds/json.kyverno.io_policies.yaml +++ b/pkg/data/crds/json.kyverno.io_policies.yaml @@ -42,8 +42,7 @@ spec: can be used during rule execution. items: description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + to a rule Context. properties: name: description: Name is the variable name.