Skip to content

Commit 5bd1e34

Browse files
sadlerapsadlerap
committed
policy: fix policies for kyverno v1.15
The ClusterPolicy `init-ns-integration` uses celPreconditions, which in kyverno v1.15 are only allowed alongside cel validation rules. Adjust the policy to use JMESPath preconditions instead. Part-of: KFLUXINFRA-1963 Signed-off-by: Andy Sadler <[email protected]>
1 parent 09d4a46 commit 5bd1e34

File tree

1 file changed

+16
-6
lines changed

1 file changed

+16
-6
lines changed

components/policies/development/integration/bootstrap-namespace/bootstrap-namespace.yaml

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,14 @@ spec:
1919
selector:
2020
matchLabels:
2121
konflux-ci.dev/type: tenant
22-
celPreconditions:
23-
- name: "on update, oldObject had no konflux-ci.dev/type=tenant label"
24-
expression: "request.operation != UPDATE || ! (has(oldObject.metadata.labels) && 'konflux-ci.dev/type' in oldObject.metadata.labels && oldObject.metadata.labels['konflux-ci.dev/type] == 'tenant')"
22+
preconditions:
23+
any:
24+
- key: "{{ request.operation || '' }}"
25+
operator: NotEquals
26+
value: "UPDATE"
27+
- key: "{{ contains(keys(request.oldObject.metadata), 'labels') && lookup(request.oldObject.metadata.labels, 'konflux-ci.dev/type') || '' }}"
28+
operator: NotEquals
29+
value: "tenant"
2530
generate:
2631
generateExisting: true
2732
synchronize: false
@@ -39,9 +44,14 @@ spec:
3944
selector:
4045
matchLabels:
4146
konflux-ci.dev/type: tenant
42-
celPreconditions:
43-
- name: "on update, oldObject had no konflux-ci.dev/type=tenant label"
44-
expression: "request.operation != UPDATE || ! (has(oldObject.metadata.labels) && 'konflux-ci.dev/type' in oldObject.metadata.labels && oldObject.metadata.labels['konflux-ci.dev/type] == 'tenant')"
47+
preconditions:
48+
any:
49+
- key: "{{ request.operation || '' }}"
50+
operator: NotEquals
51+
value: "UPDATE"
52+
- key: "{{ contains(keys(request.oldObject.metadata), 'labels') && lookup(request.oldObject.metadata.labels, 'konflux-ci.dev/type') || '' }}"
53+
operator: NotEquals
54+
value: "tenant"
4555
generate:
4656
generateExisting: true
4757
synchronize: false

0 commit comments

Comments
 (0)