feat: Add validationActions field type to PolicyException to override vpol failureAction#85
Open
onasser1 wants to merge 2 commits into
Open
feat: Add validationActions field type to PolicyException to override vpol failureAction#85onasser1 wants to merge 2 commits into
onasser1 wants to merge 2 commits into
Conversation
Member
|
Why do we need this? |
Member
|
The original issue is to add this field in policyexception to override the failure action. |
Contributor
Author
@realshuting I think I misunderstood this, I thought about introducing an override for validationActions |
onasser1
force-pushed
the
allow-vpol-override
branch
2 times, most recently
from
f495ee2 to
e788b66
Compare
…ure action Signed-off-by: Omar Nasser <omarnasserjr@gmail.com>
onasser1
changed the title
Contributor
Author
@realshuting I made changes and updated the PR title and description |
realshuting
requested changes
May 1, 2026
|
|
||
| // ValidationActions overrides the policy's validation actions when set | ||
| // +optional | ||
| ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"` |
Member
There was a problem hiding this comment.
How can we specify per-policy-level validation actions override?
Contributor
Author
There was a problem hiding this comment.
@realshuting you mean to have an override value for each policy reference?
so for each defined policy reference should have its own validation actions override? and if does not exist, apply the original policy's action.
Is this what you mean?
Contributor
Author
There was a problem hiding this comment.
Is this what you mean?
If yes, I think moving this into the PolicyRef type would be sufficient?
#85 (comment)
onasser1
commented
May 1, 2026
Comment on lines
70
to
76
| type PolicyRef struct { | ||
| // Name is the name of the policy | ||
| Name string `json:"name"` | ||
|
|
||
| // Kind is the kind of the policy | ||
| Kind string `json:"kind"` | ||
| } |
Contributor
Author
There was a problem hiding this comment.
Suggested change
| type PolicyRef struct { | |
| // Name is the name of the policy | |
| Name string `json:"name"` | |
| // Kind is the kind of the policy | |
| Kind string `json:"kind"` | |
| // ValidationActions overrides the policy's validation actions when set | |
| // +optional | |
| ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"` | |
| } |
Signed-off-by: Omar Nasser <omarnasserjr@gmail.com>
realshuting
requested changes
May 6, 2026
|
|
||
| // ValidationActions overrides the policy's validation actions when set | ||
| // +optional | ||
| ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"` |
Member
There was a problem hiding this comment.
Why do we need a list of actions?
Member
|
Please resolve all comments once addressed. |
There was a problem hiding this comment.
Pull request overview
This PR extends the PolicyException API to support overriding a referenced policy’s validationActions, enabling per-exception control over ValidatingPolicy enforcement behavior.
Changes:
- Added
validationActionstoPolicyRefin the PolicyException API (Go types + deepcopy support). - Updated generated CRD manifests (raw + aggregated + Helm chart template) to expose the new field.
- Updated generated CRD documentation HTML to include the new field.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/user/crd/kyverno_cel_policies.v1alpha1.html | Generated CRD docs updated to document validationActions on PolicyRef. |
| docs/user/crd/index.html | Generated CRD index updated to include validationActions in PolicyRef. |
| config/crds/policies.kyverno.io_policyexceptions.yaml | PolicyException CRD schema updated to include policyRefs[].validationActions (multiple version blocks). |
| config/crds.yaml | Aggregated CRDs updated to include policyRefs[].validationActions (multiple version blocks). |
| charts/kyverno-api/templates/crds/policies.kyverno.io_policyexceptions.yaml | Helm CRD template updated to include policyRefs[].validationActions (multiple version blocks). |
| api/policies.kyverno.io/v1alpha1/zz_generated.deepcopy.go | Deepcopy generation updated to deep-copy PolicyRef elements due to the new slice field. |
| api/policies.kyverno.io/v1alpha1/policy_exception.go | Added validationActions field to PolicyRef. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Kind string `json:"kind"` | ||
|
|
||
| // ValidationActions overrides the policy's validation actions when set | ||
| // +optional |
Comment on lines
+73
to
+75
| // ValidationActions overrides the policy's validation actions when set | ||
| // +optional | ||
| ValidationActions []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"` |
Comment on lines
+117
to
+119
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+31724
to
+31731
| validationActions: | ||
| description: ValidationActions overrides the policy's validation | ||
| actions when set | ||
| items: | ||
| description: ValidationAction specifies a policy enforcement | ||
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+119
to
+121
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+368
to
+370
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+31850
to
+31857
| validationActions: | ||
| description: ValidationActions overrides the policy's validation | ||
| actions when set | ||
| items: | ||
| description: ValidationAction specifies a policy enforcement | ||
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+31975
to
+31982
| validationActions: | ||
| description: ValidationActions overrides the policy's validation | ||
| actions when set | ||
| items: | ||
| description: ValidationAction specifies a policy enforcement | ||
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+245
to
+247
| action. | ||
| type: string | ||
| type: array |
Comment on lines
+370
to
+372
| action. | ||
| type: string | ||
| type: array |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
We need to support override for ValidatingPolicy failureAction in PolicyException so in order to do that we need to define the
validationActionsfield first in PolicyException APIRelated issue
Needed for / Part of: kyverno/kyverno#14927
Proposed Changes
validationActionsfield to PolicyExceptionChecklist
Further Comments