diff --git a/api/policies.kyverno.io/v1beta1/generating_policy.go b/api/policies.kyverno.io/v1beta1/generating_policy.go
index db9ecd8..3f7e381 100644
--- a/api/policies.kyverno.io/v1beta1/generating_policy.go
+++ b/api/policies.kyverno.io/v1beta1/generating_policy.go
@@ -261,6 +261,16 @@ func (s GeneratingPolicySpec) AdmissionEnabled() bool {
return *s.EvaluationConfiguration.Admission.Enabled
}
+// SkipBackgroundRequestsEnabled returns whether background requests should be skipped.
+// Returns true by default.
+func (s GeneratingPolicySpec) SkipBackgroundRequestsEnabled() bool {
+ const defaultValue = true
+ if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.SkipBackgroundRequests == nil {
+ return defaultValue
+ }
+ return *s.EvaluationConfiguration.SkipBackgroundRequests
+}
+
type GeneratingPolicyEvaluationConfiguration struct {
// Admission controls policy evaluation during admission.
// +optional
@@ -276,6 +286,13 @@ type GeneratingPolicyEvaluationConfiguration struct {
// OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.
OrphanDownstreamOnPolicyDelete *OrphanDownstreamOnPolicyDeleteConfiguration `json:"orphanDownstreamOnPolicyDelete,omitempty"`
+
+ // SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ // The default value is set to "true", it must be set to "false" to apply
+ // generate rules to those requests.
+ // +kubebuilder:default=true
+ // +kubebuilder:validation:Optional
+ SkipBackgroundRequests *bool `json:"skipBackgroundRequests,omitempty"`
}
// GenerateExistingConfiguration defines the configuration for generating resources for existing triggers.
diff --git a/api/policies.kyverno.io/v1beta1/mutating_policy.go b/api/policies.kyverno.io/v1beta1/mutating_policy.go
index 7128ad0..bd08abb 100644
--- a/api/policies.kyverno.io/v1beta1/mutating_policy.go
+++ b/api/policies.kyverno.io/v1beta1/mutating_policy.go
@@ -404,6 +404,16 @@ func (s MutatingPolicySpec) MutateExistingEnabled() bool {
return *s.EvaluationConfiguration.MutateExistingConfiguration.Enabled
}
+// SkipBackgroundRequestsEnabled returns whether background requests should be skipped.
+// Returns true by default.
+func (s MutatingPolicySpec) SkipBackgroundRequestsEnabled() bool {
+ const defaultValue = true
+ if s.EvaluationConfiguration == nil || s.EvaluationConfiguration.SkipBackgroundRequests == nil {
+ return defaultValue
+ }
+ return *s.EvaluationConfiguration.SkipBackgroundRequests
+}
+
type MutatingPolicyEvaluationConfiguration struct {
// Mode is the mode of policy evaluation.
// Allowed values are "Kubernetes" or "JSON".
@@ -422,6 +432,13 @@ type MutatingPolicyEvaluationConfiguration struct {
// MutateExisting controls whether existing resources are mutated.
// +optional
MutateExistingConfiguration *MutateExistingConfiguration `json:"mutateExisting,omitempty"`
+
+ // SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ // The default value is set to "true", it must be set to "false" to apply
+ // mutateExisting rules to those requests.
+ // +kubebuilder:default=true
+ // +kubebuilder:validation:Optional
+ SkipBackgroundRequests *bool `json:"skipBackgroundRequests,omitempty"`
}
type MutatingPolicyAutogenConfiguration struct {
diff --git a/api/policies.kyverno.io/v1beta1/zz_generated.deepcopy.go b/api/policies.kyverno.io/v1beta1/zz_generated.deepcopy.go
index 2257175..a5f342e 100644
--- a/api/policies.kyverno.io/v1beta1/zz_generated.deepcopy.go
+++ b/api/policies.kyverno.io/v1beta1/zz_generated.deepcopy.go
@@ -485,6 +485,11 @@ func (in *GeneratingPolicyEvaluationConfiguration) DeepCopyInto(out *GeneratingP
*out = new(OrphanDownstreamOnPolicyDeleteConfiguration)
(*in).DeepCopyInto(*out)
}
+ if in.SkipBackgroundRequests != nil {
+ in, out := &in.SkipBackgroundRequests, &out.SkipBackgroundRequests
+ *out = new(bool)
+ **out = **in
+ }
return
}
@@ -1121,6 +1126,11 @@ func (in *MutatingPolicyEvaluationConfiguration) DeepCopyInto(out *MutatingPolic
*out = new(MutateExistingConfiguration)
(*in).DeepCopyInto(*out)
}
+ if in.SkipBackgroundRequests != nil {
+ in, out := &in.SkipBackgroundRequests, &out.SkipBackgroundRequests
+ *out = new(bool)
+ **out = **in
+ }
return
}
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_generatingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_generatingpolicies.yaml
index ff81c24..322110f 100644
--- a/charts/kyverno-api/templates/crds/policies.kyverno.io_generatingpolicies.yaml
+++ b/charts/kyverno-api/templates/crds/policies.kyverno.io_generatingpolicies.yaml
@@ -1318,6 +1318,13 @@ spec:
Optional. Defaults to "false" if not specified.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate rules to those requests.
+ type: boolean
synchronize:
description: Synchronization defines the configuration for the
synchronization of generated resources.
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_mutatingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_mutatingpolicies.yaml
index be8f7e7..8f1ab2a 100644
--- a/charts/kyverno-api/templates/crds/policies.kyverno.io_mutatingpolicies.yaml
+++ b/charts/kyverno-api/templates/crds/policies.kyverno.io_mutatingpolicies.yaml
@@ -4453,6 +4453,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -5465,6 +5472,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
index e0d38ac..3cead0f 100644
--- a/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
+++ b/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
@@ -706,6 +706,13 @@ spec:
Optional. Defaults to "false" if not specified.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate rules to those requests.
+ type: boolean
synchronize:
description: Synchronization defines the configuration for the
synchronization of generated resources.
diff --git a/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml b/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
index 5d7fde9..db8a45d 100644
--- a/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
+++ b/charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
@@ -2305,6 +2305,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -3317,6 +3324,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
diff --git a/config/crds.yaml b/config/crds.yaml
index 452b923..1b92a52 100644
--- a/config/crds.yaml
+++ b/config/crds.yaml
@@ -2993,6 +2993,13 @@ spec:
Optional. Defaults to "false" if not specified.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate rules to those requests.
+ type: boolean
synchronize:
description: Synchronization defines the configuration for the
synchronization of generated resources.
@@ -14897,6 +14904,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -15909,6 +15923,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -18814,6 +18835,13 @@ spec:
Optional. Defaults to "false" if not specified.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate rules to those requests.
+ type: boolean
synchronize:
description: Synchronization defines the configuration for the
synchronization of generated resources.
@@ -26275,6 +26303,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -27287,6 +27322,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
diff --git a/config/crds/policies.kyverno.io_generatingpolicies.yaml b/config/crds/policies.kyverno.io_generatingpolicies.yaml
index 4dda47e..43aab6c 100644
--- a/config/crds/policies.kyverno.io_generatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io_generatingpolicies.yaml
@@ -1316,6 +1316,13 @@ spec:
Optional. Defaults to "false" if not specified.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate rules to those requests.
+ type: boolean
synchronize:
description: Synchronization defines the configuration for the
synchronization of generated resources.
diff --git a/config/crds/policies.kyverno.io_mutatingpolicies.yaml b/config/crds/policies.kyverno.io_mutatingpolicies.yaml
index 17dc4c8..a0e5fef 100644
--- a/config/crds/policies.kyverno.io_mutatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io_mutatingpolicies.yaml
@@ -4451,6 +4451,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -5463,6 +5470,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
diff --git a/config/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml b/config/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
index d9b3859..84b73d5 100644
--- a/config/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
+++ b/config/crds/policies.kyverno.io_namespacedgeneratingpolicies.yaml
@@ -704,6 +704,13 @@ spec:
Optional. Defaults to "false" if not specified.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ generate rules to those requests.
+ type: boolean
synchronize:
description: Synchronization defines the configuration for the
synchronization of generated resources.
diff --git a/config/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml b/config/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
index d934f48..7aef9e1 100644
--- a/config/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
+++ b/config/crds/policies.kyverno.io_namespacedmutatingpolicies.yaml
@@ -2303,6 +2303,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
@@ -3315,6 +3322,13 @@ spec:
When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.
type: boolean
type: object
+ skipBackgroundRequests:
+ default: true
+ description: |-
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+ The default value is set to "true", it must be set to "false" to apply
+ mutateExisting rules to those requests.
+ type: boolean
type: object
failurePolicy:
description: |-
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index ac34d53..6d8f8e2 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -13958,6 +13958,19 @@ Gen
OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.
+
+
+skipBackgroundRequests
+
+bool
+
+ |
+
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+The default value is set to “true”, it must be set to “false” to apply
+generate rules to those requests.
+ |
+
@@ -15149,6 +15162,19 @@ Mutat
MutateExisting controls whether existing resources are mutated.
+
+
+skipBackgroundRequests
+
+bool
+
+ |
+
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+The default value is set to “true”, it must be set to “false” to apply
+mutateExisting rules to those requests.
+ |
+
diff --git a/docs/user/crd/kyverno_cel_policies.v1beta1.html b/docs/user/crd/kyverno_cel_policies.v1beta1.html
index 81db2d5..593495d 100644
--- a/docs/user/crd/kyverno_cel_policies.v1beta1.html
+++ b/docs/user/crd/kyverno_cel_policies.v1beta1.html
@@ -6517,6 +6517,37 @@ Gen
+
+
+
+ skipBackgroundRequests
+
+ *
+
+
+
+
+
+
+ bool
+
+
+ |
+
+
+
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+The default value is set to "true", it must be set to "false" to apply
+generate rules to those requests.
+
+
+
+
+
+ |
+
+
+
@@ -8917,6 +8948,37 @@ Mutat
+
+
+
+ skipBackgroundRequests
+
+ *
+
+
+
+
+
+
+ bool
+
+
+ |
+
+
+
+ SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+The default value is set to "true", it must be set to "false" to apply
+mutateExisting rules to those requests.
+
+
+
+
+
+ |
+
+
+