api: add skipBackgroundRequests support for MutatingPolicy and GeneratingPolicy

atharrva01 · atharrva01 · commit 3fff0da6083e · 2026-01-26T17:05:11.000+05:30
diff --git a/api/policies.kyverno.io/v1beta1/generating_policy.go b/api/policies.kyverno.io/v1beta1/generating_policy.go
@@ -261,6 +261,16 @@ func (s GeneratingPolicySpec) AdmissionEnabled() bool {
 	return *s.EvaluationConfiguration.Admission.Enabled
 }
 
+// SkipBackgroundRequestsEnabled returns whether background requests should be skipped.
+// Returns true by default.
+func (s GeneratingPolicySpec) SkipBackgroundRequestsEnabled() bool {
+	const defaultValue = true
+	if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.SkipBackgroundRequests == nil {
+		return defaultValue
+	}
+	return *s.EvaluationConfiguration.SkipBackgroundRequests
+}
+
 type GeneratingPolicyEvaluationConfiguration struct {
 	// Admission controls policy evaluation during admission.
 	// +optional
@@ -276,6 +286,13 @@ type GeneratingPolicyEvaluationConfiguration struct {
 
 	// OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.
 	OrphanDownstreamOnPolicyDelete *OrphanDownstreamOnPolicyDeleteConfiguration `json:"orphanDownstreamOnPolicyDelete,omitempty"`
+
+	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+	// The default value is set to "true", it must be set to "false" to apply
+	// generate rules to those requests.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	SkipBackgroundRequests *bool `json:"skipBackgroundRequests,omitempty"`
 }
 
 // GenerateExistingConfiguration defines the configuration for generating resources for existing triggers.
diff --git a/api/policies.kyverno.io/v1beta1/mutating_policy.go b/api/policies.kyverno.io/v1beta1/mutating_policy.go
@@ -404,6 +404,16 @@ func (s MutatingPolicySpec) MutateExistingEnabled() bool {
 	return *s.EvaluationConfiguration.MutateExistingConfiguration.Enabled
 }
 
+// SkipBackgroundRequestsEnabled returns whether background requests should be skipped.
+// Returns true by default.
+func (s MutatingPolicySpec) SkipBackgroundRequestsEnabled() bool {
+	const defaultValue = true
+	if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.SkipBackgroundRequests == nil {
+		return defaultValue
+	}
+	return *s.EvaluationConfiguration.SkipBackgroundRequests
+}
+
 type MutatingPolicyEvaluationConfiguration struct {
 	// Mode is the mode of policy evaluation.
 	// Allowed values are "Kubernetes" or "JSON".
@@ -422,6 +432,13 @@ type MutatingPolicyEvaluationConfiguration struct {
 	// MutateExisting controls whether existing resources are mutated.
 	// +optional
 	MutateExistingConfiguration *MutateExistingConfiguration `json:"mutateExisting,omitempty"`
+
+	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+	// The default value is set to "true", it must be set to "false" to apply
+	// mutateExisting rules to those requests.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	SkipBackgroundRequests *bool `json:"skipBackgroundRequests,omitempty"`
 }
 
 type MutatingPolicyAutogenConfiguration struct {
diff --git a/api/policies.kyverno.io/v1beta1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1beta1/zz_generated.deepcopy.go
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_generatingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_generatingpolicies.yaml
@@ -1318,6 +1318,13 @@ spec:
                           Optional. Defaults to "false" if not specified.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      generate rules to those requests.
+                    type: boolean
                   synchronize:
                     description: Synchronization defines the configuration for the
                       synchronization of generated resources.
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_mutatingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_mutatingpolicies.yaml
@@ -4453,6 +4453,13 @@ spec:
                           When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      mutateExisting rules to those requests.
+                    type: boolean
                 type: object
               failurePolicy:
                 description: |-
@@ -5465,6 +5472,13 @@ spec:
                                         When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                                       type: boolean
                                   type: object
+                                skipBackgroundRequests:
+                                  default: true
+                                  description: |-
+                                    SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                                    The default value is set to "true", it must be set to "false" to apply
+                                    mutateExisting rules to those requests.
+                                  type: boolean
                               type: object
                             failurePolicy:
                               description: |-
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
@@ -706,6 +706,13 @@ spec:
                           Optional. Defaults to "false" if not specified.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      generate rules to those requests.
+                    type: boolean
                   synchronize:
                     description: Synchronization defines the configuration for the
                       synchronization of generated resources.
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
@@ -2305,6 +2305,13 @@ spec:
                           When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      mutateExisting rules to those requests.
+                    type: boolean
                 type: object
               failurePolicy:
                 description: |-
@@ -3317,6 +3324,13 @@ spec:
                                         When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                                       type: boolean
                                   type: object
+                                skipBackgroundRequests:
+                                  default: true
+                                  description: |-
+                                    SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                                    The default value is set to "true", it must be set to "false" to apply
+                                    mutateExisting rules to those requests.
+                                  type: boolean
                               type: object
                             failurePolicy:
                               description: |-
diff --git a/config/crds.yaml b/config/crds.yaml
@@ -2993,6 +2993,13 @@ spec:
                           Optional. Defaults to "false" if not specified.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      generate rules to those requests.
+                    type: boolean
                   synchronize:
                     description: Synchronization defines the configuration for the
                       synchronization of generated resources.
@@ -14897,6 +14904,13 @@ spec:
                           When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      mutateExisting rules to those requests.
+                    type: boolean
                 type: object
               failurePolicy:
                 description: |-
@@ -15909,6 +15923,13 @@ spec:
                                         When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                                       type: boolean
                                   type: object
+                                skipBackgroundRequests:
+                                  default: true
+                                  description: |-
+                                    SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                                    The default value is set to "true", it must be set to "false" to apply
+                                    mutateExisting rules to those requests.
+                                  type: boolean
                               type: object
                             failurePolicy:
                               description: |-
@@ -18814,6 +18835,13 @@ spec:
                           Optional. Defaults to "false" if not specified.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      generate rules to those requests.
+                    type: boolean
                   synchronize:
                     description: Synchronization defines the configuration for the
                       synchronization of generated resources.
@@ -26275,6 +26303,13 @@ spec:
                           When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      mutateExisting rules to those requests.
+                    type: boolean
                 type: object
               failurePolicy:
                 description: |-
@@ -27287,6 +27322,13 @@ spec:
                                         When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                                       type: boolean
                                   type: object
+                                skipBackgroundRequests:
+                                  default: true
+                                  description: |-
+                                    SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                                    The default value is set to "true", it must be set to "false" to apply
+                                    mutateExisting rules to those requests.
+                                  type: boolean
                               type: object
                             failurePolicy:
                               description: |-
diff --git a/config/crds/policies.kyverno.io_generatingpolicies.yaml b/config/crds/policies.kyverno.io_generatingpolicies.yaml
@@ -1316,6 +1316,13 @@ spec:
                           Optional. Defaults to "false" if not specified.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      generate rules to those requests.
+                    type: boolean
                   synchronize:
                     description: Synchronization defines the configuration for the
                       synchronization of generated resources.
diff --git a/config/crds/policies.kyverno.io_mutatingpolicies.yaml b/config/crds/policies.kyverno.io_mutatingpolicies.yaml
@@ -4451,6 +4451,13 @@ spec:
                           When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      mutateExisting rules to those requests.
+                    type: boolean
                 type: object
               failurePolicy:
                 description: |-
@@ -5463,6 +5470,13 @@ spec:
                                         When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                                       type: boolean
                                   type: object
+                                skipBackgroundRequests:
+                                  default: true
+                                  description: |-
+                                    SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                                    The default value is set to "true", it must be set to "false" to apply
+                                    mutateExisting rules to those requests.
+                                  type: boolean
                               type: object
                             failurePolicy:
                               description: |-
diff --git a/config/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml b/config/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
@@ -704,6 +704,13 @@ spec:
                           Optional. Defaults to "false" if not specified.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      generate rules to those requests.
+                    type: boolean
                   synchronize:
                     description: Synchronization defines the configuration for the
                       synchronization of generated resources.
diff --git a/config/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml b/config/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
@@ -2303,6 +2303,13 @@ spec:
                           When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                         type: boolean
                     type: object
+                  skipBackgroundRequests:
+                    default: true
+                    description: |-
+                      SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                      The default value is set to "true", it must be set to "false" to apply
+                      mutateExisting rules to those requests.
+                    type: boolean
                 type: object
               failurePolicy:
                 description: |-
@@ -3315,6 +3322,13 @@ spec:
                                         When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
                                       type: boolean
                                   type: object
+                                skipBackgroundRequests:
+                                  default: true
+                                  description: |-
+                                    SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                                    The default value is set to "true", it must be set to "false" to apply
+                                    mutateExisting rules to those requests.
+                                  type: boolean
                               type: object
                             failurePolicy:
                               description: |-
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
@@ -13958,6 +13958,19 @@ <h3 id="policies.kyverno.io/v1beta1.GeneratingPolicyEvaluationConfiguration">Gen
 <p>OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>skipBackgroundRequests</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to apply
+generate rules to those requests.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
@@ -15149,6 +15162,19 @@ <h3 id="policies.kyverno.io/v1beta1.MutatingPolicyEvaluationConfiguration">Mutat
 <p>MutateExisting controls whether existing resources are mutated.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>skipBackgroundRequests</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+The default value is set to &ldquo;true&rdquo;, it must be set to &ldquo;false&rdquo; to apply
+mutateExisting rules to those requests.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
diff --git a/docs/user/crd/kyverno_cel_policies.v1beta1.html b/docs/user/crd/kyverno_cel_policies.v1beta1.html
