use API server CEL matchCondition for the Kyverno policy preventing the use of default namespace

Thomas Morinrequested to merge
apiserver-cel-prevent-default-ns-policy into main

Closes #1823 (closed)

This MR changes validation.cel.expressions (which are interpreted by Kyverno controllers) by webhookConfiguration.matchConditions which are interpreted by the API server itself. This is more robust (avoid breaking on errors when Kyverno webhook isn't reachable) and also more efficient.

This was tested manually in my dev env trying to create a Daemonset in default namespace:

$ kubectl apply -f ...
admission webhook "validate.kyverno.svc-fail-finegrained-disallow-default-namespace" denied the request: 

resource DaemonSet/default/foo was blocked due to the following policies 

disallow-default-namespace:
  validate-podcontroller-namespace: Using 'default' namespace is not allowed for Pod
    controllers.
Edited by Thomas Morin

Merge request reports