diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index d8b0a4f81..541b4eaa8 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -15473,7 +15473,7 @@ "default": "" }, "predicate": { - "description": "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n - Pod: spec/containers/\u003cN\u003e/image\n - ReplicaSet: spec/template/spec/containers/\u003cN\u003e/image\n - Deployment: spec/template/spec/containers/\u003cN\u003e/image\n - DaemonSet: spec/template/spec/containers/\u003cN\u003e/image\n - StatefulSet: spec/template/spec/containers/\u003cN\u003e/image\n - Job: spec/template/spec/containers/\u003cN\u003e/image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.", + "description": "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n - Pod: /spec/containers/\u003cN\u003e/image\n - ReplicaSet: /spec/template/spec/containers/\u003cN\u003e/image\n - Deployment: /spec/template/spec/containers/\u003cN\u003e/image\n - DaemonSet: /spec/template/spec/containers/\u003cN\u003e/image\n - StatefulSet: /spec/template/spec/containers/\u003cN\u003e/image\n - Job: /spec/template/spec/containers/\u003cN\u003e/image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.", "$ref": "#/definitions/com.github.karmada-io.karmada.pkg.apis.policy.v1alpha1.ImagePredicate" }, "value": { diff --git a/charts/karmada/_crds/bases/policy.karmada.io_clusteroverridepolicies.yaml b/charts/karmada/_crds/bases/policy.karmada.io_clusteroverridepolicies.yaml index 90f00ffc8..19f7f408d 100644 --- a/charts/karmada/_crds/bases/policy.karmada.io_clusteroverridepolicies.yaml +++ b/charts/karmada/_crds/bases/policy.karmada.io_clusteroverridepolicies.yaml @@ -176,14 +176,15 @@ spec: system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule: - - Pod: spec/containers//image - ReplicaSet: spec/template/spec/containers//image - - Deployment: spec/template/spec/containers//image - - DaemonSet: spec/template/spec/containers//image - - StatefulSet: spec/template/spec/containers//image - - Job: spec/template/spec/containers//image In - addition, all images will be processed if the resource - object has more than one container. \n If not nil, - only images matches the filters will be processed." + - Pod: /spec/containers//image - ReplicaSet: + /spec/template/spec/containers//image - Deployment: + /spec/template/spec/containers//image - DaemonSet: + /spec/template/spec/containers//image - StatefulSet: + /spec/template/spec/containers//image - Job: + /spec/template/spec/containers//image In addition, + all images will be processed if the resource object + has more than one container. \n If not nil, only + images matches the filters will be processed." properties: path: description: Path indicates the path of target @@ -500,12 +501,12 @@ spec: rule. \n Defaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet - or Job by following rule: - Pod: spec/containers//image - - ReplicaSet: spec/template/spec/containers//image - - Deployment: spec/template/spec/containers//image - - DaemonSet: spec/template/spec/containers//image - - StatefulSet: spec/template/spec/containers//image - - Job: spec/template/spec/containers//image In addition, + or Job by following rule: - Pod: /spec/containers//image + - ReplicaSet: /spec/template/spec/containers//image + - Deployment: /spec/template/spec/containers//image + - DaemonSet: /spec/template/spec/containers//image + - StatefulSet: /spec/template/spec/containers//image + - Job: /spec/template/spec/containers//image In addition, all images will be processed if the resource object has more than one container. \n If not nil, only images matches the filters will be processed." diff --git a/charts/karmada/_crds/bases/policy.karmada.io_overridepolicies.yaml b/charts/karmada/_crds/bases/policy.karmada.io_overridepolicies.yaml index d326c0e18..a95b9ac62 100644 --- a/charts/karmada/_crds/bases/policy.karmada.io_overridepolicies.yaml +++ b/charts/karmada/_crds/bases/policy.karmada.io_overridepolicies.yaml @@ -176,14 +176,15 @@ spec: system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule: - - Pod: spec/containers//image - ReplicaSet: spec/template/spec/containers//image - - Deployment: spec/template/spec/containers//image - - DaemonSet: spec/template/spec/containers//image - - StatefulSet: spec/template/spec/containers//image - - Job: spec/template/spec/containers//image In - addition, all images will be processed if the resource - object has more than one container. \n If not nil, - only images matches the filters will be processed." + - Pod: /spec/containers//image - ReplicaSet: + /spec/template/spec/containers//image - Deployment: + /spec/template/spec/containers//image - DaemonSet: + /spec/template/spec/containers//image - StatefulSet: + /spec/template/spec/containers//image - Job: + /spec/template/spec/containers//image In addition, + all images will be processed if the resource object + has more than one container. \n If not nil, only + images matches the filters will be processed." properties: path: description: Path indicates the path of target @@ -500,12 +501,12 @@ spec: rule. \n Defaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet - or Job by following rule: - Pod: spec/containers//image - - ReplicaSet: spec/template/spec/containers//image - - Deployment: spec/template/spec/containers//image - - DaemonSet: spec/template/spec/containers//image - - StatefulSet: spec/template/spec/containers//image - - Job: spec/template/spec/containers//image In addition, + or Job by following rule: - Pod: /spec/containers//image + - ReplicaSet: /spec/template/spec/containers//image + - Deployment: /spec/template/spec/containers//image + - DaemonSet: /spec/template/spec/containers//image + - StatefulSet: /spec/template/spec/containers//image + - Job: /spec/template/spec/containers//image In addition, all images will be processed if the resource object has more than one container. \n If not nil, only images matches the filters will be processed." diff --git a/pkg/apis/policy/v1alpha1/override_types.go b/pkg/apis/policy/v1alpha1/override_types.go index 6532f909f..424e96d4c 100644 --- a/pkg/apis/policy/v1alpha1/override_types.go +++ b/pkg/apis/policy/v1alpha1/override_types.go @@ -133,12 +133,12 @@ type ImageOverrider struct { // // Defaults to nil, in that case, the system will automatically detect image fields if the resource type is // Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule: - // - Pod: spec/containers//image - // - ReplicaSet: spec/template/spec/containers//image - // - Deployment: spec/template/spec/containers//image - // - DaemonSet: spec/template/spec/containers//image - // - StatefulSet: spec/template/spec/containers//image - // - Job: spec/template/spec/containers//image + // - Pod: /spec/containers//image + // - ReplicaSet: /spec/template/spec/containers//image + // - Deployment: /spec/template/spec/containers//image + // - DaemonSet: /spec/template/spec/containers//image + // - StatefulSet: /spec/template/spec/containers//image + // - Job: /spec/template/spec/containers//image // In addition, all images will be processed if the resource object has more than one container. // // If not nil, only images matches the filters will be processed. diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 6f9b819fa..296543a76 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -2829,7 +2829,7 @@ func schema_pkg_apis_policy_v1alpha1_ImageOverrider(ref common.ReferenceCallback Properties: map[string]spec.Schema{ "predicate": { SchemaProps: spec.SchemaProps{ - Description: "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n - Pod: spec/containers//image\n - ReplicaSet: spec/template/spec/containers//image\n - Deployment: spec/template/spec/containers//image\n - DaemonSet: spec/template/spec/containers//image\n - StatefulSet: spec/template/spec/containers//image\n - Job: spec/template/spec/containers//image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.", + Description: "Predicate filters images before applying the rule.\n\nDefaults to nil, in that case, the system will automatically detect image fields if the resource type is Pod, ReplicaSet, Deployment, StatefulSet, DaemonSet or Job by following rule:\n - Pod: /spec/containers//image\n - ReplicaSet: /spec/template/spec/containers//image\n - Deployment: /spec/template/spec/containers//image\n - DaemonSet: /spec/template/spec/containers//image\n - StatefulSet: /spec/template/spec/containers//image\n - Job: /spec/template/spec/containers//image\nIn addition, all images will be processed if the resource object has more than one container.\n\nIf not nil, only images matches the filters will be processed.", Ref: ref("github.com/karmada-io/karmada/pkg/apis/policy/v1alpha1.ImagePredicate"), }, }, diff --git a/pkg/util/validation/validation.go b/pkg/util/validation/validation.go index ecea60b30..9f581801e 100644 --- a/pkg/util/validation/validation.go +++ b/pkg/util/validation/validation.go @@ -2,6 +2,7 @@ package validation import ( "fmt" + "strings" corev1 "k8s.io/api/core/v1" apivalidation "k8s.io/apimachinery/pkg/api/validation" @@ -208,6 +209,14 @@ func ValidateOverrideRules(overrideRules []policyv1alpha1.RuleWithCluster, fldPa allErrs = append(allErrs, metav1validation.ValidateLabels(label.Value, labelPath.Child("value"))...) } + // validates predicate path. + for imageIndex, image := range rule.Overriders.ImageOverrider { + imagePath := rulePath.Child("overriders").Child("imageOverrider").Index(imageIndex) + if image.Predicate != nil && !strings.HasPrefix(image.Predicate.Path, "/") { + allErrs = append(allErrs, field.Invalid(imagePath.Child("predicate").Child("path"), image.Predicate.Path, "path should be start with / character")) + } + } + // validates the targetCluster. allErrs = append(allErrs, ValidateClusterAffinity(rule.TargetCluster, rulePath.Child("targetCluster"))...) }