Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kyverno for openSUSE:Factory checked in at 2026-05-18 17:48:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kyverno (Old) and /work/SRC/openSUSE:Factory/.kyverno.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kyverno" Mon May 18 17:48:46 2026 rev:60 rq:1353806 version:1.18.1 Changes: -------- --- /work/SRC/openSUSE:Factory/kyverno/kyverno.changes 2026-04-30 20:31:08.680641791 +0200 +++ /work/SRC/openSUSE:Factory/.kyverno.new.1966/kyverno.changes 2026-05-18 17:49:45.800632981 +0200 @@ -1,0 +2,9 @@ +Mon May 18 11:07:27 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 1.18.1: + * fix: pass AdmissionRequest to updaterequests for mutate + existing policy (#16050) (#16072) + * fix: support cluster-scoped resource generation in + GeneratingPolicy (#16018) (#16031) + +------------------------------------------------------------------- Old: ---- kyverno-1.18.0.obscpio New: ---- kyverno-1.18.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kyverno.spec ++++++ --- /var/tmp/diff_new_pack.vU01t4/_old 2026-05-18 17:49:49.260775962 +0200 +++ /var/tmp/diff_new_pack.vU01t4/_new 2026-05-18 17:49:49.264776126 +0200 @@ -17,7 +17,7 @@ Name: kyverno -Version: 1.18.0 +Version: 1.18.1 Release: 0 Summary: CLI and kubectl plugin for Kyverno License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.vU01t4/_old 2026-05-18 17:49:49.464784392 +0200 +++ /var/tmp/diff_new_pack.vU01t4/_new 2026-05-18 17:49:49.496785714 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/kyverno/kyverno</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v1.18.0</param> + <param name="revision">v1.18.1</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.vU01t4/_old 2026-05-18 17:49:49.664792656 +0200 +++ /var/tmp/diff_new_pack.vU01t4/_new 2026-05-18 17:49:49.700794144 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/kyverno/kyverno</param> - <param name="changesrevision">78e7560a5531fda5a39ffb119d7d8e47527d8aee</param></service></servicedata> + <param name="changesrevision">ec14520a11cc25432482bfc0baa6a61d3c309524</param></service></servicedata> (No newline at EOF) ++++++ kyverno-1.18.0.obscpio -> kyverno-1.18.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/Makefile new/kyverno-1.18.1/Makefile --- old/kyverno-1.18.0/Makefile 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/Makefile 2026-05-18 11:28:17.000000000 +0200 @@ -688,12 +688,19 @@ define generate_crd @echo "{{- if $(if $(6),and .Values.groups.$(4).$(5) (not .Values.reportsServer.enabled),.Values.groups.$(4).$(5)) }}" > ./charts/kyverno/charts/crds/templates/$(3)/$(1) @cat $(CRDS_PATH)/$(2)/$(1) \ - | $(SED) -e '/^ annotations:/a \ \ \ \ {{- end }}' \ - | $(SED) -e '/^ annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \ - | $(SED) -e '/^ annotations:/a \ \ \ \ {{- with .Values.annotations }}' \ - | $(SED) -e '/^ annotations:/i \ \ labels:' \ - | $(SED) -e '/^ labels:/a \ \ \ \ {{- include "kyverno.crds.labels" . | nindent 4 }}' \ - | $(SED) -e 's/(devel)/$(CONTROLLER_GEN_VERSION)/' \ + | awk '{ \ + if ($$0 == " annotations:") { \ + print " labels:"; \ + print " {{- include \"kyverno.crds.labels\" . | nindent 4 }}"; \ + print $$0; \ + print " {{- with .Values.annotations }}"; \ + print " {{- toYaml . | nindent 4 }}"; \ + print " {{- end }}"; \ + next; \ + } \ + gsub(/\(devel\)/, "$(CONTROLLER_GEN_VERSION)"); \ + print; \ + }' \ >> ./charts/kyverno/charts/crds/templates/$(3)/$(1) @echo "{{- end }}" >> ./charts/kyverno/charts/crds/templates/$(3)/$(1) endef diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/.helmignore new/kyverno-1.18.1/charts/kyverno/.helmignore --- old/kyverno-1.18.0/charts/kyverno/.helmignore 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/.helmignore 2026-05-18 11:28:17.000000000 +0200 @@ -1,3 +1,6 @@ .helmignore ci/ README.md.gotmpl +tmpcharts-*/ +# Exclude generated docs from the release payload to keep Helm release secret size small. +README.md diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/Chart.lock new/kyverno-1.18.1/charts/kyverno/Chart.lock --- old/kyverno-1.18.0/charts/kyverno/Chart.lock 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/Chart.lock 2026-05-18 11:28:17.000000000 +0200 @@ -1,10 +1,10 @@ dependencies: - name: grafana repository: "" - version: 3.8.0 + version: 3.8.1 - name: crds repository: "" - version: 3.8.0 + version: 3.8.1 - name: kyverno-api repository: https://kyverno.github.io/api version: 0.0.1-alpha.2 @@ -14,5 +14,5 @@ - name: reports-server repository: https://kyverno.github.io/reports-server/ version: 0.1.6 -digest: sha256:9afcbe4924ea65f5148ef768ff42e1473278ab5c7836173c38e4bc778c90c3cf -generated: "2026-04-29T12:39:35.411754+02:00" +digest: sha256:f09c63f775fb3728813f5301ba3469e931623ab6f924e54066e8d665d2d68e5a +generated: "2026-05-18T17:16:15.487764+08:00" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/Chart.yaml new/kyverno-1.18.1/charts/kyverno/Chart.yaml --- old/kyverno-1.18.0/charts/kyverno/Chart.yaml 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/Chart.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno -version: 3.8.0 # VERSION -appVersion: v1.18.0 +version: 3.8.1 # VERSION +appVersion: v1.18.1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: @@ -39,10 +39,10 @@ description: Enable the flag `--validatingAdmissionPolicyReports` by default in the reports controller. dependencies: - name: grafana - version: 3.8.0 # VERSION + version: 3.8.1 # VERSION condition: grafana.enabled - name: crds - version: 3.8.0 # VERSION + version: 3.8.1 # VERSION condition: crds.install - name: kyverno-api version: 0.0.1-alpha.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/README.md new/kyverno-1.18.1/charts/kyverno/README.md --- old/kyverno-1.18.0/charts/kyverno/README.md 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/README.md 2026-05-18 11:28:17.000000000 +0200 @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -   +   ## About @@ -974,8 +974,8 @@ | Repository | Name | Version | |------------|------|---------| -| | crds | 3.8.0 | -| | grafana | 3.8.0 | +| | crds | 3.8.1 | +| | grafana | 3.8.1 | | https://kyverno.github.io/api | kyverno-api | 0.0.1-alpha.2 | | https://kyverno.github.io/reports-server/ | reports-server | 0.1.6 | | https://openreports.github.io/reports-api | openreports | 0.1.0 | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/charts/crds/Chart.yaml new/kyverno-1.18.1/charts/kyverno/charts/crds/Chart.yaml --- old/kyverno-1.18.0/charts/kyverno/charts/crds/Chart.yaml 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/charts/crds/Chart.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -1,3 +1,3 @@ apiVersion: v2 name: crds -version: 3.8.0 # VERSION +version: 3.8.1 # VERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/charts/crds/README.md new/kyverno-1.18.1/charts/kyverno/charts/crds/README.md --- old/kyverno-1.18.0/charts/kyverno/charts/crds/README.md 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/charts/crds/README.md 2026-05-18 11:28:17.000000000 +0200 @@ -1,6 +1,6 @@ # crds - + ## Values diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/charts/grafana/Chart.yaml new/kyverno-1.18.1/charts/kyverno/charts/grafana/Chart.yaml --- old/kyverno-1.18.0/charts/kyverno/charts/grafana/Chart.yaml 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/charts/grafana/Chart.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -1,3 +1,3 @@ apiVersion: v2 name: grafana -version: 3.8.0 # VERSION +version: 3.8.1 # VERSION diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno/charts/grafana/README.md new/kyverno-1.18.1/charts/kyverno/charts/grafana/README.md --- old/kyverno-1.18.0/charts/kyverno/charts/grafana/README.md 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno/charts/grafana/README.md 2026-05-18 11:28:17.000000000 +0200 @@ -1,6 +1,6 @@ # grafana - + ## Values Binary files old/kyverno-1.18.0/charts/kyverno/tmpcharts-10949/kyverno-api-0.0.1-alpha.2.tgz and new/kyverno-1.18.1/charts/kyverno/tmpcharts-10949/kyverno-api-0.0.1-alpha.2.tgz differ Binary files old/kyverno-1.18.0/charts/kyverno/tmpcharts-10949/openreports-0.1.0.tgz and new/kyverno-1.18.1/charts/kyverno/tmpcharts-10949/openreports-0.1.0.tgz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno-policies/Chart.yaml new/kyverno-1.18.1/charts/kyverno-policies/Chart.yaml --- old/kyverno-1.18.0/charts/kyverno-policies/Chart.yaml 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno-policies/Chart.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: 3.8.0 # VERSION -appVersion: v1.18.0 +version: 3.8.1 # VERSION +appVersion: v1.18.1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/charts/kyverno-policies/README.md new/kyverno-1.18.1/charts/kyverno-policies/README.md --- old/kyverno-1.18.0/charts/kyverno-policies/README.md 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/charts/kyverno-policies/README.md 2026-05-18 11:28:17.000000000 +0200 @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -   +   ## About diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/background/generate/generator.go new/kyverno-1.18.1/pkg/background/generate/generator.go --- old/kyverno-1.18.0/pkg/background/generate/generator.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/background/generate/generator.go 2026-05-18 11:28:17.000000000 +0200 @@ -16,6 +16,7 @@ "go.uber.org/multierr" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" ) type generator struct { @@ -180,6 +181,18 @@ } newGenResources = append(newGenResources, targetMeta) } else { + effectiveAPIVersion := targetMeta.GetAPIVersion() + if effectiveAPIVersion == "" { + effectiveAPIVersion = generatedObj.GetAPIVersion() + newResource.SetAPIVersion(effectiveAPIVersion) + } + + effectiveNamespace := targetMeta.GetNamespace() + if effectiveNamespace == "" && g.isNamespacedResource(effectiveAPIVersion, targetMeta.GetKind()) { + effectiveNamespace = "default" + } + newResource.SetNamespace(effectiveNamespace) + if !g.rule.Generation.Synchronize { logger.V(4).Info("synchronize disabled, skip syncing changes") continue @@ -192,18 +205,11 @@ } logger.V(4).Info("updating existing resource") - if targetMeta.GetAPIVersion() == "" { - generatedResourceAPIVersion := generatedObj.GetAPIVersion() - newResource.SetAPIVersion(generatedResourceAPIVersion) - } - if targetMeta.GetNamespace() == "" { - newResource.SetNamespace("default") - } if g.policy.GetSpec().UseServerSideApply { - _, err = g.client.ApplyResource(context.TODO(), targetMeta.GetAPIVersion(), targetMeta.GetKind(), targetMeta.GetNamespace(), targetMeta.GetName(), newResource, false, "generate") + _, err = g.client.ApplyResource(context.TODO(), effectiveAPIVersion, targetMeta.GetKind(), effectiveNamespace, targetMeta.GetName(), newResource, false, "generate") } else { - _, err = g.client.UpdateResource(context.TODO(), targetMeta.GetAPIVersion(), targetMeta.GetKind(), targetMeta.GetNamespace(), newResource, false) + _, err = g.client.UpdateResource(context.TODO(), effectiveAPIVersion, targetMeta.GetKind(), effectiveNamespace, newResource, false) } if err != nil { logger.Error(err, "failed to update resource") @@ -288,3 +294,23 @@ } return nil } + +func (g *generator) isNamespacedResource(apiVersion, kind string) bool { + if apiVersion == "" || kind == "" { + return true + } + gv, err := schema.ParseGroupVersion(apiVersion) + if err != nil { + g.logger.V(4).Info("failed to parse apiVersion for generated resource scope lookup", "apiVersion", apiVersion, "kind", kind, "error", err.Error()) + return true + } + resources, err := g.client.Discovery().FindResources(gv.Group, gv.Version, kind, "") + if err != nil { + g.logger.V(4).Info("failed to discover generated resource scope", "apiVersion", apiVersion, "kind", kind, "error", err.Error()) + return true + } + for _, resource := range resources { + return resource.Namespaced + } + return true +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/libs/context.go new/kyverno-1.18.1/pkg/cel/libs/context.go --- old/kyverno-1.18.0/pkg/cel/libs/context.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/libs/context.go 2026-05-18 11:28:17.000000000 +0200 @@ -192,27 +192,32 @@ } for _, item := range items { + targetNamespace := namespace + if !cp.isNamespacedResource(item.GetAPIVersion(), item.GetKind()) { + targetNamespace = "" + } + // In CLI evaluation mode, we do not create the resource in the cluster // but just store it in the generated resources list. if cp.cliEvaluation { item.SetUID("") item.SetManagedFields(nil) item.SetAnnotations(nil) - item.SetNamespace(namespace) + item.SetNamespace(targetNamespace) item.SetResourceVersion("") item.SetCreationTimestamp(metav1.Time{}) cp.generatedResources = append(cp.generatedResources, item) continue } cp.addGenerateLabels(item) - item.SetNamespace(namespace) + item.SetNamespace(targetNamespace) item.SetResourceVersion("") // check if the resource is already generated _, err := cp.client.GetResource( context.TODO(), item.GetAPIVersion(), item.GetKind(), - namespace, + targetNamespace, item.GetName(), ) @@ -223,7 +228,7 @@ context.TODO(), item.GetAPIVersion(), item.GetKind(), - namespace, + targetNamespace, item, false, ) @@ -295,6 +300,21 @@ return &r.Resource, nil } +func (cp *contextProvider) isNamespacedResource(apiVersion, kind string) bool { + if cp.restMapper == nil || apiVersion == "" || kind == "" { + return true + } + groupVersion, err := schema.ParseGroupVersion(apiVersion) + if err != nil { + return true + } + r, err := cp.restMapper.RESTMapping(schema.GroupKind{Group: groupVersion.Group, Kind: kind}, groupVersion.Version) + if err != nil || r.Scope == nil { + return true + } + return r.Scope.Name() == meta.RESTScopeNameNamespace +} + func (cp *contextProvider) ClearGeneratedResources() { cp.generatedResources = make([]*unstructured.Unstructured, 0) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/compiler/policy.go new/kyverno-1.18.1/pkg/cel/policies/mpol/compiler/policy.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/compiler/policy.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/compiler/policy.go 2026-05-18 11:28:17.000000000 +0200 @@ -85,8 +85,8 @@ return vars } -func (p *Policy) MatchesConditions(ctx context.Context, attr admission.Attributes, namespace *corev1.Namespace, contextProvider libs.Context) bool { - data, err := prepareData(attr, nil, namespace) +func (p *Policy) MatchesConditions(ctx context.Context, attr admission.Attributes, request *admissionv1.AdmissionRequest, namespace *corev1.Namespace, contextProvider libs.Context) bool { + data, err := prepareData(attr, request, namespace) if err != nil { return false } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/engine.go new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/engine.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/engine.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/engine.go 2026-05-18 11:28:17.000000000 +0200 @@ -300,5 +300,5 @@ namespace = e.nsResolver(ns) } - return e.provider.MatchesMutateExisting(ctx, attr, namespace) + return e.provider.MatchesMutateExisting(ctx, attr, &request.Request, namespace) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/engine_test.go new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/engine_test.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/engine_test.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/engine_test.go 2026-05-18 11:28:17.000000000 +0200 @@ -199,7 +199,7 @@ return nil } -func (m *mockFailingProvider) MatchesMutateExisting(context.Context, admission.Attributes, *corev1.Namespace) []string { +func (m *mockFailingProvider) MatchesMutateExisting(context.Context, admission.Attributes, *admissionv1.AdmissionRequest, *corev1.Namespace) []string { return nil } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/provider.go new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/provider.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/provider.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/provider.go 2026-05-18 11:28:17.000000000 +0200 @@ -10,6 +10,7 @@ "github.com/kyverno/kyverno/pkg/cel/matching" "github.com/kyverno/kyverno/pkg/cel/policies/mpol/autogen" "github.com/kyverno/kyverno/pkg/cel/policies/mpol/compiler" + admissionv1 "k8s.io/api/admission/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission/plugin/policy/mutating/patch" @@ -24,7 +25,7 @@ type Provider interface { Fetch(context.Context, bool) []Policy - MatchesMutateExisting(context.Context, admission.Attributes, *corev1.Namespace) []string + MatchesMutateExisting(context.Context, admission.Attributes, *admissionv1.AdmissionRequest, *corev1.Namespace) []string } func NewKubeProvider( @@ -116,7 +117,7 @@ return filtered } -func (r *staticProvider) MatchesMutateExisting(ctx context.Context, attr admission.Attributes, namespace *corev1.Namespace) []string { +func (r *staticProvider) MatchesMutateExisting(ctx context.Context, attr admission.Attributes, request *admissionv1.AdmissionRequest, namespace *corev1.Namespace) []string { policies := r.Fetch(ctx, true) matchedPolicies := []string{} for _, mpol := range policies { @@ -127,7 +128,7 @@ } if mpol.Policy.GetSpec().MatchConditions != nil { - if !mpol.CompiledPolicy.MatchesConditions(ctx, attr, namespace, r.libCxt) { + if !mpol.CompiledPolicy.MatchesConditions(ctx, attr, request, namespace, r.libCxt) { continue } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/provider_test.go new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/provider_test.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/provider_test.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/provider_test.go 2026-05-18 11:28:17.000000000 +0200 @@ -5,8 +5,9 @@ "testing" policiesv1beta1 "github.com/kyverno/api/api/policies.kyverno.io/v1beta1" + admissionv1 "k8s.io/api/admission/v1" corev1 "k8s.io/api/core/v1" - admissionv1 "k8s.io/apiserver/pkg/admission" + "k8s.io/apiserver/pkg/admission" "github.com/kyverno/kyverno/pkg/cel/libs" "github.com/kyverno/kyverno/pkg/cel/policies/mpol/compiler" @@ -17,7 +18,7 @@ type fakeCompiledPolicy struct{} -func (f *fakeCompiledPolicy) MatchesConditions(_ context.Context, _ admissionv1.Attributes, _ *corev1.Namespace) bool { +func (f *fakeCompiledPolicy) MatchesConditions(_ context.Context, _ admission.Attributes, _ *admissionv1.AdmissionRequest, _ *corev1.Namespace) bool { return true } @@ -149,7 +150,7 @@ } t.Run("match all", func(t *testing.T) { - names := provider.MatchesMutateExisting(context.Background(), &mockAttributes{}, &corev1.Namespace{}) + names := provider.MatchesMutateExisting(context.Background(), &mockAttributes{}, nil, &corev1.Namespace{}) assert.Equal(t, []string{"match"}, names) }) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/reconciler.go new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/reconciler.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/reconciler.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/reconciler.go 2026-05-18 11:28:17.000000000 +0200 @@ -10,6 +10,7 @@ "github.com/kyverno/kyverno/pkg/cel/matching" "github.com/kyverno/kyverno/pkg/cel/policies/mpol/autogen" "github.com/kyverno/kyverno/pkg/cel/policies/mpol/compiler" + admissionv1 "k8s.io/api/admission/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apiserver/pkg/admission" @@ -136,7 +137,7 @@ return policies } -func (r *reconciler) MatchesMutateExisting(ctx context.Context, attr admission.Attributes, namespace *corev1.Namespace) []string { +func (r *reconciler) MatchesMutateExisting(ctx context.Context, attr admission.Attributes, request *admissionv1.AdmissionRequest, namespace *corev1.Namespace) []string { policies := r.Fetch(ctx, true) matchedPolicies := []string{} for _, mpol := range policies { @@ -150,7 +151,7 @@ continue } if mpol.Policy.GetSpec().MatchConditions != nil { - if !mpol.CompiledPolicy.MatchesConditions(ctx, attr, namespace, r.libCxt) { + if !mpol.CompiledPolicy.MatchesConditions(ctx, attr, request, namespace, r.libCxt) { continue } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/reconciler_test.go new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/reconciler_test.go --- old/kyverno-1.18.0/pkg/cel/policies/mpol/engine/reconciler_test.go 2026-04-29 12:51:40.000000000 +0200 +++ new/kyverno-1.18.1/pkg/cel/policies/mpol/engine/reconciler_test.go 2026-05-18 11:28:17.000000000 +0200 @@ -269,7 +269,7 @@ } attrs := &mockAttributes{} namespace := &corev1.Namespace{} - got := r.MatchesMutateExisting(context.TODO(), attrs, namespace) + got := r.MatchesMutateExisting(context.TODO(), attrs, nil, namespace) assert.ElementsMatch(t, tt.expectedNames, got) }) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/chainsaw-test.yaml new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/chainsaw-test.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/chainsaw-test.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/chainsaw-test.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,41 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: generate-clusterrolebinding-from-namespace +spec: + concurrent: false + steps: + - name: create permissions + try: + - apply: + file: permissions.yaml + - name: create policy + use: + template: ../../../../_step-templates/create-policy.yaml + with: + bindings: + - name: file + value: policy.yaml + - name: wait-generating-policy-ready + use: + template: ../../../../_step-templates/generating-policy-ready.yaml + with: + bindings: + - name: name + value: test-user + - name: create namespace trigger + try: + - apply: + file: namespace.yaml + - name: check that the clusterrolebinding is generated + try: + - assert: + file: clusterrolebinding-assert.yaml + - name: cleanup generated clusterrolebinding + try: + - delete: + ref: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + name: test-app-gpol-crb-view diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/clusterrolebinding-assert.yaml new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/clusterrolebinding-assert.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/clusterrolebinding-assert.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/clusterrolebinding-assert.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-app-gpol-crb-view +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: +- kind: ServiceAccount + name: default + namespace: app-gpol-crb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/namespace.yaml new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/namespace.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/namespace.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/namespace.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: app-gpol-crb diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/permissions.yaml new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/permissions.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/permissions.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/permissions.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:crb:manage + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + verbs: + - get + - list + - watch + - create + - update + - delete diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/policy.yaml new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/policy.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/policy.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/generating-policies/data/sync/generate-clusterrolebinding-from-namespace/policy.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,40 @@ +apiVersion: policies.kyverno.io/v1beta1 +kind: GeneratingPolicy +metadata: + name: test-user +spec: + evaluation: + synchronize: + enabled: true + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["namespaces"] + variables: + - name: ns + expression: object.metadata.name + generate: + - expression: | + generator.apply(string(variables.ns), [ + { + "kind": dyn("ClusterRoleBinding"), + "apiVersion": dyn("rbac.authorization.k8s.io/v1"), + "metadata": dyn({ + "name": dyn("test-" + string(variables.ns) + "-view") + }), + "roleRef": dyn({ + "apiGroup": dyn("rbac.authorization.k8s.io"), + "kind": dyn("ClusterRole"), + "name": dyn("view") + }), + "subjects": dyn([ + { + "kind": dyn("ServiceAccount"), + "name": dyn("default"), + "namespace": dyn(string(variables.ns)) + } + ]) + } + ]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/chainsaw-test.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/chainsaw-test.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/chainsaw-test.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/chainsaw-test.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,66 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: auto-bind-sa-add +spec: + template: false + steps: + - name: step-01-install-policy + try: + - apply: + file: ../auto-bind-sa-add.yaml + - assert: + resource: + apiVersion: policies.kyverno.io/v1 + kind: MutatingPolicy + metadata: + name: auto-bind-sa-add + timeout: 10s + - sleep: + duration: 3s + + - name: step-02-setup-crb + try: + - apply: + file: test-crb.yaml + - assert: + resource: + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: test-crb + timeout: 15s + + - name: step-03-sa-with-annotation-gets-added + try: + - apply: + file: sa-with-annotation.yaml + - assert: + resource: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: sa-auto-bind + namespace: default + timeout: 15s + - sleep: + duration: 3s + - script: + content: "kubectl get clusterrolebinding test-crb -o jsonpath='{.subjects}' | grep -q 'sa-auto-bind' && echo 'SA found in subjects' || (echo 'SA NOT found in subjects'; exit 1)" + + - name: step-04-sa-without-annotation-not-added + try: + - apply: + file: sa-without-annotation.yaml + - assert: + resource: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: sa-no-bind + namespace: default + timeout: 15s + - sleep: + duration: 13s + - script: + content: "kubectl get clusterrolebinding test-crb -o jsonpath='{.subjects}' | grep -q 'sa-no-bind' && (echo 'SA unexpectedly found in subjects'; exit 1) || echo 'SA correctly NOT in subjects'" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-with-annotation.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-with-annotation.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-with-annotation.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-with-annotation.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-auto-bind + namespace: default + annotations: + rbac.example.com/auto-bind: "true" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-without-annotation.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-without-annotation.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-without-annotation.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/sa-without-annotation.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-no-bind + namespace: default diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/test-crb.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/test-crb.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/test-crb.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/.chainsaw-tests/test-crb.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: [] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/auto-bind-sa-add.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/auto-bind-sa-add.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/auto-bind-sa-add.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-add/auto-bind-sa-add.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,60 @@ +apiVersion: policies.kyverno.io/v1 +kind: MutatingPolicy +metadata: + name: auto-bind-sa-add +spec: + evaluation: + mutateExisting: + enabled: true + matchConditions: + - expression: |- + request.object.metadata.?annotations[?'rbac.example.com/auto-bind'].orValue('') == 'true' + name: has-auto-bind-annotation + matchConstraints: + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - serviceaccounts + mutations: + - jsonPatch: + expression: |- + has(object.subjects) ? + [JSONPatch{ + op: "add", + path: "/subjects/-", + value: dyn({ + "kind": dyn("ServiceAccount"), + "name": dyn(variables.saName), + "namespace": dyn(variables.saNamespace) + }) + }] : + [JSONPatch{ + op: "add", + path: "/subjects", + value: [dyn({ + "kind": dyn("ServiceAccount"), + "name": dyn(variables.saName), + "namespace": dyn(variables.saNamespace) + })] + }] + patchType: JSONPatch + targetMatchConstraints: + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - v1 + resources: + - clusterrolebindings + resourceNames: + - test-crb + variables: + - expression: request.object.metadata.name + name: saName + - expression: request.object.metadata.namespace + name: saNamespace diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/chainsaw-test.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/chainsaw-test.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/chainsaw-test.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/chainsaw-test.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,94 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: auto-bind-sa-remove +spec: + template: false + steps: + - name: step-01-install-policy + try: + - apply: + file: ../auto-bind-sa-remove.yaml + - assert: + resource: + apiVersion: policies.kyverno.io/v1 + kind: MutatingPolicy + metadata: + name: auto-bind-sa-remove + timeout: 10s + - sleep: + duration: 3s + + - name: step-02-setup-crb-and-sa + try: + - apply: + file: crb-with-sa-subject.yaml + - apply: + file: sa-auto-bind-remove.yaml + - assert: + resource: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: sa-auto-bind-remove + namespace: default + timeout: 10s + + - name: step-03-delete-annotated-sa-removes-from-crb + try: + - delete: + ref: + apiVersion: v1 + kind: ServiceAccount + name: sa-auto-bind-remove + namespace: default + - sleep: + duration: 3s + - script: + content: | + SUBJECTS=$(kubectl get clusterrolebinding test-crb-auto-bind-remove -o jsonpath='{.subjects}' 2>&1 || echo '[]') + echo "Subjects: $SUBJECTS" + if echo "$SUBJECTS" | grep -q 'sa-auto-bind-remove'; then + echo 'ERROR: SA still present in subjects' + exit 1 + else + echo 'OK: SA removed from subjects' + exit 0 + fi + + - name: step-04-setup-unannotated-sa-and-crb + try: + - apply: + file: sa-no-annotation.yaml + - apply: + file: crb-with-other-sa-subject.yaml + - assert: + resource: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: sa-no-annotation + namespace: default + timeout: 10s + + - name: step-05-delete-unannotated-sa-does-not-affect-crb + try: + - delete: + ref: + apiVersion: v1 + kind: ServiceAccount + name: sa-no-annotation + namespace: default + - sleep: + duration: 3s + - script: + content: | + SUBJECTS=$(kubectl get clusterrolebinding test-crb-other-sa -o jsonpath='{.subjects}' 2>&1 || echo '[]') + echo "Subjects: $SUBJECTS" + if echo "$SUBJECTS" | grep -q 'sa-no-annotation'; then + echo 'OK: SA still present (policy did not remove it)' + exit 0 + else + echo 'ERROR: SA was incorrectly removed from subjects' + exit 1 + fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-other-sa-subject.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-other-sa-subject.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-other-sa-subject.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-other-sa-subject.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-crb-other-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: +- kind: ServiceAccount + name: sa-no-annotation + namespace: default diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-sa-subject.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-sa-subject.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-sa-subject.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/crb-with-sa-subject.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-crb-auto-bind-remove +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: view +subjects: +- kind: ServiceAccount + name: sa-auto-bind-remove + namespace: default diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-auto-bind-remove.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-auto-bind-remove.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-auto-bind-remove.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-auto-bind-remove.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-auto-bind-remove + namespace: default + annotations: + rbac.example.com/auto-bind: "true" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-no-annotation.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-no-annotation.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-no-annotation.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/.chainsaw-tests/sa-no-annotation.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa-no-annotation + namespace: default diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/auto-bind-sa-remove.yaml new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/auto-bind-sa-remove.yaml --- old/kyverno-1.18.0/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/auto-bind-sa-remove.yaml 1970-01-01 01:00:00.000000000 +0100 +++ new/kyverno-1.18.1/test/conformance/chainsaw/mutating-policies/existing/variables/auto-bind-sa-remove/auto-bind-sa-remove.yaml 2026-05-18 11:28:17.000000000 +0200 @@ -0,0 +1,40 @@ +apiVersion: policies.kyverno.io/v1 +kind: MutatingPolicy +metadata: + name: auto-bind-sa-remove +spec: + evaluation: + mutateExisting: + enabled: true + matchConditions: + - expression: "has(request.oldObject.metadata.annotations) && request.oldObject.metadata.annotations[?'rbac.example.com/auto-bind'].orValue('') == 'true'" + name: has-auto-bind-annotation + matchConstraints: + resourceRules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resources: + - serviceaccounts + mutations: + - jsonPatch: + expression: 'variables.matchingSubjectIndices.map(idx, JSONPatch{op: "remove", path: "/subjects/" + string(idx)})' + patchType: JSONPatch + targetMatchConstraints: + resourceRules: + - apiGroups: + - rbac.authorization.k8s.io + apiVersions: + - v1 + resources: + - clusterrolebindings + variables: + - expression: "request.oldObject.metadata.name" + name: saName + - expression: "request.oldObject.metadata.namespace" + name: saNamespace + - expression: "object.?subjects.orValue([]).filter(s, s.kind == 'ServiceAccount' && s.name == variables.saName && s.namespace == variables.saNamespace).map(s, object.subjects.indexOf(s))" + name: matchingSubjectIndices ++++++ kyverno.obsinfo ++++++ --- /var/tmp/diff_new_pack.vU01t4/_old 2026-05-18 17:50:00.277231185 +0200 +++ /var/tmp/diff_new_pack.vU01t4/_new 2026-05-18 17:50:00.297232011 +0200 @@ -1,5 +1,5 @@ name: kyverno -version: 1.18.0 -mtime: 1777459900 -commit: 78e7560a5531fda5a39ffb119d7d8e47527d8aee +version: 1.18.1 +mtime: 1779096497 +commit: ec14520a11cc25432482bfc0baa6a61d3c309524 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kyverno/vendor.tar.gz /work/SRC/openSUSE:Factory/.kyverno.new.1966/vendor.tar.gz differ: char 130, line 1
