Rewrite kyverno validating policies as ValidatingAdmissionPolicies

Alex Ghitarequested to merge
1949-rewrite-kyverno-validating-policies-as-validatingadmissionpolicies into main

What does this MR do and why?

Related issue: #1876

With Kubernetes v1.30, ValidatingAdmissionPolicy has reached GA. We are migrating Kyverno policies that do not require mutation to ValidatingAdmissionPolicy.

  • Replicated Kyverno ClusterPolicy rules as ValidatingAdmissionPolicies.
  • Migrated matching objects and exclusions to ValidatingAdmissionPolicyBinding.
  • Added a new validating-admission-policies unit to sylva-units, including a Kustomization directory.

Policies migrated:

  • disallow-default-namespace
  • disallow-latest-and-main-tag
  • ensure-force-cluster-policy

Linked also to !3722 .

🔹 Note: MutatingAdmissionPolicy is not yet GA.

Related reference(s)

Test coverage

Manual tests on local deployments . Tested also in 8f1a2e15 .

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2
🐧 Node OS ubuntu, suse
🛠️ Deployment Options light-deploy, oci, ha, misc
🎬 Pipeline Scenarios rolling-update, mgmt-rolling-update, k8s-upgrade, sylva-upgrade-from-x.x.x, simple-update, preview, nightly

  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu 🛠️ oci

  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

  • ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse

  • ☁️ capo 🚀 rke2 🐧 suse

  • ☁️ capo 🚀 kadm 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🎬 k8s-upgrade 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 mgmt-rolling-update 🛠️ ha,misc 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🐧 suse

  • ☁️ capm3 🚀 kadm 🐧 ubuntu

  • ☁️ capm3 🚀 kadm 🎬 mgmt-rolling-update 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 k8s-upgrade 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ misc,ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Thomas Morin

Merge request reports