Update deprecated fields in restrict-runtimeClassName policy

kyverno · Feb 3, 2025 · 8fc9455 · 8fc9455
1 parent e2e60bf
commit 8fc9455
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 52 deletions.
diff --git a/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml b/psp-migration/restrict-runtimeClassName/.chainsaw-test/chainsaw-test.yaml
@@ -6,38 +6,51 @@ metadata:
   name: restrict-runtimeclassname
 spec:
   steps:
-  - name: step-00
-    try:
-    - apply:
-        file: ../restrict-runtimeClassName.yaml
-    - patch:
-        resource:
-          apiVersion: kyverno.io/v1
-          kind: ClusterPolicy
-          metadata:
-            name: restrict-runtimeclass
-          spec:
-            validationFailureAction: Enforce
-  - name: step-01
-    try:
-    - assert:
-        file: policy-ready.yaml
-  - name: step-02
-    try:
-    - apply:
-        file: chainsaw-step-02-apply-1.yaml
-    - apply:
-        file: chainsaw-step-02-apply-2.yaml
-    - apply:
-        file: chainsaw-step-02-apply-3.yaml
-    - apply:
-        file: chainsaw-step-02-apply-4.yaml
-  - name: step-03
-    try:
-    - apply:
-        file: good.yaml
-    - apply:
-        expect:
-        - check:
-            ($error != null): true
-        file: bad.yaml
+    - name: step-00
+      try:
+        - apply:
+            file: ../restrict-runtimeClassName.yaml
+        - patch:
+            resource:
+              apiVersion: kyverno.io/v1
+              kind: ClusterPolicy
+              metadata:
+                name: restrict-runtimeclass
+              spec:
+                rules:
+                  - name: prodclass-or-expclass
+                    match:
+                      any:
+                        - resources:
+                            kinds:
+                              - Pod
+                    validate:
+                      failureAction: Enforce
+                      message: "Only the runtime classes prodclass or expclass may be used. "
+                      pattern:
+                        =(spec):
+                          =(runtimeClassName): "prodclass | expclass"
+
+    - name: step-01
+      try:
+        - assert:
+            file: policy-ready.yaml
+    - name: step-02
+      try:
+        - apply:
+            file: chainsaw-step-02-apply-1.yaml
+        - apply:
+            file: chainsaw-step-02-apply-2.yaml
+        - apply:
+            file: chainsaw-step-02-apply-3.yaml
+        - apply:
+            file: chainsaw-step-02-apply-4.yaml
+    - name: step-03
+      try:
+        - apply:
+            file: good.yaml
+        - apply:
+            expect:
+              - check:
+                  ($error != null): true
+            file: bad.yaml
diff --git a/psp-migration/restrict-runtimeClassName/restrict-runtimeClassName.yaml b/psp-migration/restrict-runtimeClassName/restrict-runtimeClassName.yaml
@@ -16,22 +16,22 @@ metadata:
       unintended running states or Pods which may not come online. This policy restricts the runtimeClass
       field to the values `prodclass` or `expclass`.
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
-  - name: prodclass-or-expclass
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-    preconditions:
-      all:
-      - key: "{{request.operation || 'BACKGROUND'}}"
-        operator: Equals
-        value: CREATE
-    validate:
-      message: Only the runtime classes prodclass or expclass may be used.
-      pattern:
-        =(spec):
-          =(runtimeClassName): "prodclass | expclass"
+    - name: prodclass-or-expclass
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      preconditions:
+        all:
+          - key: "{{request.operation || 'BACKGROUND'}}"
+            operator: Equals
+            value: CREATE
+      validate:
+        failureAction: Enforce
+        message: Only the runtime classes prodclass or expclass may be used.
+        pattern:
+          =(spec):
+            =(runtimeClassName): "prodclass | expclass"