diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go
index fa6595069c22..8703a7fe00e6 100644
--- a/api/kyverno/v1/clusterpolicy_types.go
+++ b/api/kyverno/v1/clusterpolicy_types.go
@@ -19,6 +19,10 @@ import (
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:storageversion
// ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
diff --git a/api/kyverno/v1/policy_status.go b/api/kyverno/v1/policy_status.go
index 06328ac51a34..dbe3eb265579 100644
--- a/api/kyverno/v1/policy_status.go
+++ b/api/kyverno/v1/policy_status.go
@@ -30,6 +30,22 @@ type PolicyStatus struct {
// Autogen contains autogen status information
// +optional
Autogen AutogenStatus `json:"autogen" yaml:"autogen"`
+ // RuleCount describes total number of rules in a policy
+ // +optional
+ RuleCount RuleCountStatus `json:"rulecount" yaml:"rulecount"`
+}
+
+// RuleCountStatus contains four variables which describes counts for
+// validate, generate, mutate and verify images rules
+type RuleCountStatus struct {
+ // Count for validate rules in policy
+ Validate int `json:"validate" yaml:"validate"`
+ // Count for generate rules in policy
+ Generate int `json:"generate" yaml:"generate"`
+ // Count for mutate rules in policy
+ Mutate int `json:"mutate" yaml:"mutate"`
+ // Count for verify image rules in policy
+ VerifyImages int `json:"verifyimages" yaml:"verifyimages"`
}
func (status *PolicyStatus) SetReady(ready bool) {
diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go
index 9d76926559d4..0af283d591fb 100644
--- a/api/kyverno/v1/policy_types.go
+++ b/api/kyverno/v1/policy_types.go
@@ -17,6 +17,10 @@ import (
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:resource:shortName=pol,categories=kyverno;all
// +kubebuilder:storageversion
diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go
index 16b5449fbe74..ee25ec169a1c 100755
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@@ -1045,6 +1045,7 @@ func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) {
}
}
in.Autogen.DeepCopyInto(&out.Autogen)
+ out.RuleCount = in.RuleCount
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.
@@ -1237,6 +1238,21 @@ func (in *Rule) DeepCopy() *Rule {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleCountStatus) DeepCopyInto(out *RuleCountStatus) {
+ *out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleCountStatus.
+func (in *RuleCountStatus) DeepCopy() *RuleCountStatus {
+ if in == nil {
+ return nil
+ }
+ out := new(RuleCountStatus)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SecretReference) DeepCopyInto(out *SecretReference) {
*out = *in
diff --git a/api/kyverno/v2beta1/clusterpolicy_types.go b/api/kyverno/v2beta1/clusterpolicy_types.go
index 29ed97e01bfb..cbea0a787f3c 100644
--- a/api/kyverno/v2beta1/clusterpolicy_types.go
+++ b/api/kyverno/v2beta1/clusterpolicy_types.go
@@ -20,6 +20,10 @@ import (
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
type ClusterPolicy struct {
diff --git a/api/kyverno/v2beta1/policy_types.go b/api/kyverno/v2beta1/policy_types.go
index 90a40b1df1bb..cf2edefee1eb 100644
--- a/api/kyverno/v2beta1/policy_types.go
+++ b/api/kyverno/v2beta1/policy_types.go
@@ -18,6 +18,10 @@ import (
// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
// +kubebuilder:resource:shortName=pol,categories=kyverno;all
// Policy declares validation, mutation, and generation behaviors for matching resources.
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
index f3b554c8e2b3..c2391c5ca70e 100644
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@@ -1029,6 +1029,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -4632,6 +4648,27 @@ spec:
ready:
description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -4659,6 +4696,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -8115,6 +8168,27 @@ spec:
ready:
description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -8619,6 +8693,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -12222,6 +12312,27 @@ spec:
ready:
description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -12249,6 +12360,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -15705,6 +15832,27 @@ spec:
ready:
description: Ready indicates if the policy is ready to serve the admission request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index 49a3910bc4b7..f05e85308b75 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -37,6 +37,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -5861,6 +5877,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -5888,6 +5925,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -11443,6 +11496,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index 87c05ffd0c80..95690b2befc4 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -37,6 +37,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -5863,6 +5879,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -5890,6 +5927,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -11446,6 +11499,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
diff --git a/config/install.yaml b/config/install.yaml
index 44855e029b4a..57d5cd0901b2 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -1359,6 +1359,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -7183,6 +7199,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -7210,6 +7247,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -12765,6 +12818,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -13379,6 +13453,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -19205,6 +19295,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -19232,6 +19343,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -24788,6 +24915,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index 2e5b788140ee..496dc874ce8e 100644
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -1353,6 +1353,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -7177,6 +7193,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -7204,6 +7241,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -12759,6 +12812,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -13370,6 +13444,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v1
schema:
openAPIV3Schema:
@@ -19196,6 +19286,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
@@ -19223,6 +19334,22 @@ spec:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
+ - jsonPath: .status.rulecount.validate
+ name: Validate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.mutate
+ name: Mutate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.generate
+ name: Generate
+ priority: 1
+ type: integer
+ - jsonPath: .status.rulecount.verifyimages
+ name: Verifyimages
+ priority: 1
+ type: integer
name: v2beta1
schema:
openAPIV3Schema:
@@ -24779,6 +24906,27 @@ spec:
description: Ready indicates if the policy is ready to serve the admission
request. Deprecated in favor of Conditions
type: boolean
+ rulecount:
+ description: RuleCount describes total number of rules in a policy
+ properties:
+ generate:
+ description: Count for generate rules in policy
+ type: integer
+ mutate:
+ description: Count for mutate rules in policy
+ type: integer
+ validate:
+ description: Count for validate rules in policy
+ type: integer
+ verifyimages:
+ description: Count for verify image rules in policy
+ type: integer
+ required:
+ - generate
+ - mutate
+ - validate
+ - verifyimages
+ type: object
required:
- ready
type: object
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index 79e951e4c10d..f3fcf94f3b77 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -2759,6 +2759,20 @@ PolicyStatus
Autogen contains autogen status information
+
+
+rulecount
+
+
+RuleCountStatus
+
+
+ |
+
+(Optional)
+ RuleCount describes total number of rules in a policy
+ |
+
@@ -3235,6 +3249,71 @@ Rule
+RuleCountStatus
+
+
+(Appears on:
+PolicyStatus)
+
+
+
RuleCountStatus contains four variables which describes counts for
+validate, generate, mutate and verify images rules
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+validate
+
+int
+
+ |
+
+ Count for validate rules in policy
+ |
+
+
+
+generate
+
+int
+
+ |
+
+ Count for generate rules in policy
+ |
+
+
+
+mutate
+
+int
+
+ |
+
+ Count for mutate rules in policy
+ |
+
+
+
+verifyimages
+
+int
+
+ |
+
+ Count for verify image rules in policy
+ |
+
+
+
+
SecretReference
diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go
index cf3c1a08f422..a93604b6d11a 100644
--- a/pkg/client/clientset/versioned/fake/register.go
+++ b/pkg/client/clientset/versioned/fake/register.go
@@ -43,14 +43,14 @@ var localSchemeBuilder = runtime.SchemeBuilder{
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
-// import (
-// "k8s.io/client-go/kubernetes"
-// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
-// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
-// )
+// import (
+// "k8s.io/client-go/kubernetes"
+// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+// )
//
-// kclientset, _ := kubernetes.NewForConfig(c)
-// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+// kclientset, _ := kubernetes.NewForConfig(c)
+// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.
diff --git a/pkg/client/clientset/versioned/scheme/register.go b/pkg/client/clientset/versioned/scheme/register.go
index 776190e3523e..9fbeaa98f0d3 100644
--- a/pkg/client/clientset/versioned/scheme/register.go
+++ b/pkg/client/clientset/versioned/scheme/register.go
@@ -43,14 +43,14 @@ var localSchemeBuilder = runtime.SchemeBuilder{
// AddToScheme adds all types of this clientset into the given scheme. This allows composition
// of clientsets, like in:
//
-// import (
-// "k8s.io/client-go/kubernetes"
-// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
-// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
-// )
+// import (
+// "k8s.io/client-go/kubernetes"
+// clientsetscheme "k8s.io/client-go/kubernetes/scheme"
+// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
+// )
//
-// kclientset, _ := kubernetes.NewForConfig(c)
-// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
+// kclientset, _ := kubernetes.NewForConfig(c)
+// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
//
// After this, RawExtensions in Kubernetes types will serialize kube-aggregator types
// correctly.
diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go
index 65996973aa9e..43a1cc5a2c79 100644
--- a/pkg/controllers/webhook/controller.go
+++ b/pkg/controllers/webhook/controller.go
@@ -430,7 +430,9 @@ func (c *controller) updatePolicyStatuses(ctx context.Context) error {
status := policy.GetStatus()
status.SetReady(ready)
status.Autogen.Rules = nil
- for _, rule := range autogen.ComputeRules(policy) {
+ rules := autogen.ComputeRules(policy)
+ setRuleCount(rules, status)
+ for _, rule := range rules {
if strings.HasPrefix(rule.Name, "autogen-") {
status.Autogen.Rules = append(status.Autogen.Rules, rule)
}
diff --git a/pkg/controllers/webhook/utils.go b/pkg/controllers/webhook/utils.go
index dcecff803bb2..6a73f6df8fc8 100644
--- a/pkg/controllers/webhook/utils.go
+++ b/pkg/controllers/webhook/utils.go
@@ -1,6 +1,8 @@
package webhook
import (
+ "strings"
+
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/utils"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@@ -70,3 +72,27 @@ func objectMeta(name string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
OwnerReferences: owner,
}
}
+
+func setRuleCount(rules []kyvernov1.Rule, status *kyvernov1.PolicyStatus) {
+ validateCount, generateCount, mutateCount, verifyImagesCount := 0, 0, 0, 0
+ for _, rule := range rules {
+ if !strings.HasPrefix(rule.Name, "autogen-") {
+ if rule.HasGenerate() {
+ generateCount += 1
+ }
+ if rule.HasValidate() {
+ validateCount += 1
+ }
+ if rule.HasMutate() {
+ mutateCount += 1
+ }
+ if rule.HasVerifyImages() {
+ verifyImagesCount += 1
+ }
+ }
+ }
+ status.RuleCount.Validate = validateCount
+ status.RuleCount.Generate = generateCount
+ status.RuleCount.Mutate = mutateCount
+ status.RuleCount.VerifyImages = verifyImagesCount
+}
diff --git a/pkg/controllers/webhook/utils_test.go b/pkg/controllers/webhook/utils_test.go
index 97cb03f12b6a..db5596310a95 100644
--- a/pkg/controllers/webhook/utils_test.go
+++ b/pkg/controllers/webhook/utils_test.go
@@ -1,8 +1,12 @@
package webhook
import (
+ "encoding/json"
"testing"
+ kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
+ "github.com/kyverno/kyverno/pkg/autogen"
+
"gotest.tools/assert"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
@@ -14,3 +18,142 @@ func Test_webhook_isEmpty(t *testing.T) {
notEmpty.setWildcard()
assert.Equal(t, notEmpty.isEmpty(), false)
}
+
+var policy = `
+{
+ "apiVersion": "kyverno.io/v1",
+ "kind": "ClusterPolicy",
+ "metadata": {
+ "name": "disallow-unsigned-images"
+ },
+ "spec": {
+ "validationFailureAction": "enforce",
+ "background": false,
+ "rules": [
+ {
+ "name": "replace-image-registry",
+ "match": {
+ "any": [
+ {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ }
+ ]
+ },
+ "mutate": {
+ "foreach": [
+ {
+ "list": "request.object.spec.containers",
+ "patchStrategicMerge": {
+ "spec": {
+ "containers": [
+ {
+ "name": "{{ element.name }}",
+ "image": "{{ regex_replace_all_literal('.*(.*)/', '{{element.image}}', 'pratikrshah/' )}}"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ }
+ },
+ {
+ "name": "disallow-unsigned-images-rule",
+ "match": {
+ "any": [
+ {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ }
+ ]
+ },
+ "verifyImages": [
+ {
+ "imageReferences": [
+ "*"
+ ],
+ "verifyDigest": false,
+ "required": null,
+ "mutateDigest": false,
+ "attestors": [
+ {
+ "count": 1,
+ "entries": [
+ {
+ "keys": {
+ "publicKeys": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHsra9WSDxt9qv84KF4McNVCGjMFq\ne96mWCQxGimL9Ltj6F3iXmlo8sUalKfJ7SBXpy8hwyBfXBBAmCalsp5xEw==\n-----END PUBLIC KEY-----"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "check-image",
+ "match": {
+ "any": [
+ {
+ "resources": {
+ "kinds": [
+ "Pod"
+ ]
+ }
+ }
+ ]
+ },
+ "context": [
+ {
+ "name": "keys",
+ "configMap": {
+ "name": "keys",
+ "namespace": "default"
+ }
+ }
+ ],
+ "verifyImages": [
+ {
+ "imageReferences": [
+ "ghcr.io/myorg/myimage*"
+ ],
+ "required": true,
+ "attestors": [
+ {
+ "count": 1,
+ "entries": [
+ {
+ "keys": {
+ "publicKeys": "{{ keys.data.production }}"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ }
+}
+`
+
+func Test_RuleCount(t *testing.T) {
+ var cpol kyverno.ClusterPolicy
+ err := json.Unmarshal([]byte(policy), &cpol)
+ assert.NilError(t, err)
+ status := cpol.GetStatus()
+ rules := autogen.ComputeRules(&cpol)
+ setRuleCount(rules, status)
+ assert.Equal(t, status.RuleCount.Validate, 0)
+ assert.Equal(t, status.RuleCount.Generate, 0)
+ assert.Equal(t, status.RuleCount.Mutate, 1)
+ assert.Equal(t, status.RuleCount.VerifyImages, 2)
+}