Refactor Kyverno policies, in order to remove deprecated fields

What does this MR do and why?

This MR was raised to address the issue described in #2356 (closed).

In the current version, the Kyverno policies are defined with deprecated fields, as it follows:

Deprecated fields in Policy

GROUP:      kyverno.io
KIND:       Policy
VERSION:    v1

FIELD: spec <Object>


DESCRIPTION:
    Spec defines policy behaviors and contains one or more rules.

FIELDS:
  admission     <boolean>
    Admission controls if rules are applied during admission.
    Optional. Default value is "true".

  applyRules    <string>
  enum: All, One
    ApplyRules controls how rules in a policy are applied. Rule are processed in
    the order of declaration. When set to `One` processing stops after a rule
    has
    been applied i.e. the rule matches and results in a pass, fail, or error.
    When
    set to `All` all rules in the policy are processed. The default is `All`.

  background    <boolean>
    Background controls if rules are applied to existing resources during a
    background scan.
    Optional. Default value is "true". The value must be set to "false" if the
    policy rule
    uses variables that are only available in the admission review request (e.g.
    user name).

  emitWarning   <boolean>
    EmitWarning enables API response warnings for mutate policy rules or
    validate policy rules with validationFailureAction set to Audit.
    Enabling this option will extend admission request processing times. The
    default value is "false".

  failurePolicy <string>
  enum: Ignore, Fail
    Deprecated, use failurePolicy under the webhookConfiguration instead.

  generateExisting      <boolean>
    Deprecated, use generateExisting under the generate rule instead

  generateExistingOnPolicyUpdate        <boolean>
    Deprecated, use generateExisting instead

  mutateExistingOnPolicyUpdate  <boolean>
    Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead

  rules <[]Object>
    Rules is a list of Rule instances. A Policy contains multiple rules and
    each rule can validate, mutate, or generate resources.

  schemaValidation      <boolean>
    Deprecated.

  useServerSideApply    <boolean>
    UseServerSideApply controls whether to use server-side apply for generate
    rules
    If is set to "true" create & update for generate rules will use apply
    instead of create/update.
    Defaults to "false" if not specified.

  validationFailureAction       <string>
  enum: audit, enforce, Audit, Enforce
    Deprecated, use validationFailureAction under the validate rule instead.

  validationFailureActionOverrides      <[]Object>
    Deprecated, use validationFailureActionOverrides under the validate rule
    instead.

  webhookConfiguration  <Object>
    WebhookConfiguration specifies the custom configuration for Kubernetes
    admission webhookconfiguration.

  webhookTimeoutSeconds <integer>
    Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

Deprecated fields in ClusterPolicy

GROUP:      kyverno.io
KIND:       ClusterPolicy
VERSION:    v1

FIELD: spec <Object>


DESCRIPTION:
    Spec declares policy behaviors.

FIELDS:
  admission     <boolean>
    Admission controls if rules are applied during admission.
    Optional. Default value is "true".

  applyRules    <string>
  enum: All, One
    ApplyRules controls how rules in a policy are applied. Rule are processed in
    the order of declaration. When set to `One` processing stops after a rule
    has
    been applied i.e. the rule matches and results in a pass, fail, or error.
    When
    set to `All` all rules in the policy are processed. The default is `All`.

  background    <boolean>
    Background controls if rules are applied to existing resources during a
    background scan.
    Optional. Default value is "true". The value must be set to "false" if the
    policy rule
    uses variables that are only available in the admission review request (e.g.
    user name).

  emitWarning   <boolean>
    EmitWarning enables API response warnings for mutate policy rules or
    validate policy rules with validationFailureAction set to Audit.
    Enabling this option will extend admission request processing times. The
    default value is "false".

  failurePolicy <string>
  enum: Ignore, Fail
    Deprecated, use failurePolicy under the webhookConfiguration instead.

  generateExisting      <boolean>
    Deprecated, use generateExisting under the generate rule instead

  generateExistingOnPolicyUpdate        <boolean>
    Deprecated, use generateExisting instead

  mutateExistingOnPolicyUpdate  <boolean>
    Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead

  rules <[]Object>
    Rules is a list of Rule instances. A Policy contains multiple rules and
    each rule can validate, mutate, or generate resources.

  schemaValidation      <boolean>
    Deprecated.

  useServerSideApply    <boolean>
    UseServerSideApply controls whether to use server-side apply for generate
    rules
    If is set to "true" create & update for generate rules will use apply
    instead of create/update.
    Defaults to "false" if not specified.

  validationFailureAction       <string>
  enum: audit, enforce, Audit, Enforce
    Deprecated, use validationFailureAction under the validate rule instead.

  validationFailureActionOverrides      <[]Object>
    Deprecated, use validationFailureActionOverrides under the validate rule
    instead.

  webhookConfiguration  <Object>
    WebhookConfiguration specifies the custom configuration for Kubernetes
    admission webhookconfiguration.

  webhookTimeoutSeconds <integer>
    Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

With this MR, the unnecessary fields were removed and the deprecated fields were changed with their new equivalents.

Related reference(s)

Closes #2356 (closed)

Test coverage

This was tested in a CAPO environment and the policies are getting correctly deployed, without any errors.

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon	Meaning	Available values
☁️	Infra Provider	capd, capo, capm3
🚀	Bootstrap Provider	kubeadm (alias kadm), rke2
🐧	Node OS	ubuntu, suse
🛠️	Deployment Options	light-deploy, dev-sources, ha, misc, maxsurge-0, logging, no-logging
🎬	Pipeline Scenarios	Available scenario list and description

• 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu

• 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

• 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

• ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

• ☁️ capd 🚀 rke2 🛠️ light-deploy 🐧 suse

• ☁️ capo 🚀 rke2 🐧 suse

• ☁️ capo 🚀 kadm 🐧 ubuntu

• ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

• ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu

• ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha 🐧 suse

• ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha 🐧 ubuntu

• ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha,misc 🐧 ubuntu

• ☁️ capo 🚀 rke2 🛠️ ha,misc 🐧 ubuntu

• ☁️ capm3 🚀 rke2 🐧 suse

• ☁️ capm3 🚀 kadm 🐧 ubuntu

• ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu

• ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse

• ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

• ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha 🐧 suse

• ☁️ capm3 🚀 rke2 🛠️ misc,ha 🐧 suse

• ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.4.x 🛠️ ha,misc 🐧 suse

• ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

• ☁️ capm3 🚀 ck8s 🎬 no-wkld 🛠️ light-deploy 🐧 ubuntu

Global config for deployment pipelines

• autorun pipelines
• allow failure on pipelines
• record sylvactl events

Notes:

• Enabling autorun will make deployment pipelines to be run automatically without human interaction
• Disabling allow failure will make deployment pipelines mandatory for pipeline success.
• if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.