argoproj · sandert-k8s · Apr 15, 2026 · Apr 17, 2026
@@ -0,0 +1,37 @@
+-- ClusterPolicy is a cluster-scoped resource that defines policy validation,
+-- mutation, and generation behaviors for matching Kubernetes resources.
+--
+-- Documentation:
+--   Policy types overview: https://kyverno.io/docs/policy-types/cluster-policy/
+--
+-- Condition types and reasons are defined in:
+--   https://github.com/kyverno/kyverno/blob/main/api/kyverno/v1/clusterpolicy_types.go
+--
+-- ClusterPolicy exposes one active condition type:
+--   Ready (True)  - Policy is fully loaded and validated, rules are active
+--   Ready (False) - Policy failed to load (syntax error, missing resources, etc.)
+--
+-- ArgoCD health mapping:
+--   Ready=True   => Healthy
+--   Ready=False  => Degraded
+--   No status yet => Progressing
+local hs = {}
+
+if obj.status ~= nil and obj.status.conditions ~= nil then
+  for _, condition in ipairs(obj.status.conditions) do
+    if condition.type == "Ready" then
+      if condition.status == "True" then
+        hs.status = "Healthy"
+        hs.message = condition.message
+      else
+        hs.status = "Degraded"
+        hs.message = condition.message
+      end
+      return hs
+    end
+  end
+end
+
+hs.status = "Progressing"
+hs.message = "Waiting for ClusterPolicy to become ready"
+return hs
@@ -0,0 +1,13 @@
+tests:
+- healthStatus:
+    status: Progressing
+    message: "Waiting for ClusterPolicy to become ready"
+  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Healthy
+    message: "Ready"
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Degraded
+    message: "Policy is not ready"
+  inputPath: testdata/degraded.yaml
@@ -0,0 +1,12 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sample-cluster-policy
+spec: {}
+status:
+  conditions:
+  - lastTransitionTime: "2025-01-01T00:00:00Z"
+    message: Policy is not ready
+    reason: Failed
+    status: "False"
+    type: Ready
@@ -0,0 +1,12 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sample-cluster-policy
+spec: {}
+status:
+  conditions:
+  - lastTransitionTime: "2025-01-01T00:00:00Z"
+    message: Ready
+    reason: Succeeded
+    status: "True"
+    type: Ready
@@ -0,0 +1,5 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sample-cluster-policy
+spec: {}
@@ -0,0 +1,63 @@
+-- DeletingPolicy is a cluster-scoped resource that defines scheduled deletion
+-- of Kubernetes resources matching a set of CEL-based constraints.
+--
+-- Documentation:
+--   Policy types overview: https://kyverno.io/docs/policy-types/deleting-policy/
+--
+-- Condition types and reasons are defined in:
+--   https://github.com/kyverno/kyverno/tree/main/config/crds/policies.kyverno.io/policies.kyverno.io_deletingpolicies.yaml
+--
+-- DeletingPolicy exposes a conditionStatus with a ready boolean and standard
+-- Kubernetes conditions. No fixed condition type names are enforced by the CRD.
+--
+-- ArgoCD health mapping:
+--   conditionStatus.ready=true   => Healthy  (message from first True condition)
+--   conditionStatus.ready=false  => Degraded (message from first False condition)
+--   No status yet                => Progressing
+local hs = {}
+
+if obj.status ~= nil and obj.status.conditionStatus ~= nil then
+  local cs = obj.status.conditionStatus
+
+  if obj.metadata.generation ~= nil and cs.conditions ~= nil then
+    for _, condition in ipairs(cs.conditions) do
+      if condition.observedGeneration ~= nil and condition.observedGeneration < obj.metadata.generation then
+        hs.status = "Progressing"
+        hs.message = "Waiting for DeletingPolicy status to reflect latest generation"
+        return hs
+      end
+    end
+  end
+
+  if cs.ready == true then
+    hs.status = "Healthy"
+    if cs.conditions ~= nil then
+      for _, condition in ipairs(cs.conditions) do
+        if condition.status == "True" then
+          hs.message = condition.message
+          break
+        end
+      end
+    end
+    if hs.message == nil then
+      hs.message = (cs.message ~= nil and cs.message ~= "") and cs.message or "Policy is ready"
+    end
+    return hs
+  end
+
+  hs.status = "Degraded"
+  if cs.conditions ~= nil then
+    for _, condition in ipairs(cs.conditions) do
+      if condition.status == "False" then
+        hs.message = condition.type .. ": " .. condition.message
+        return hs
+      end
+    end
+  end
+  hs.message = (cs.message ~= nil and cs.message ~= "") and cs.message or "Policy is not ready"
+  return hs
+end
+
+hs.status = "Progressing"
+hs.message = "Waiting for DeletingPolicy status"
+return hs
@@ -0,0 +1,13 @@
+tests:
+- healthStatus:
+    status: Progressing
+    message: "Waiting for DeletingPolicy status"
+  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Healthy
+    message: "Policy is ready"
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Degraded
+    message: "Admitted: webhook configuration failed"
+  inputPath: testdata/degraded.yaml
@@ -0,0 +1,13 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: DeletingPolicy
+metadata:
+  name: sample-deleting-policy
+spec: {}
+status:
+  conditionStatus:
+    ready: false
+    conditions:
+    - lastTransitionTime: "2025-01-01T00:00:00Z"
+      message: webhook configuration failed
+      status: "False"
+      type: Admitted
@@ -0,0 +1,13 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: DeletingPolicy
+metadata:
+  name: sample-deleting-policy
+spec: {}
+status:
+  conditionStatus:
+    ready: true
+    conditions:
+    - lastTransitionTime: "2025-01-01T00:00:00Z"
+      message: Policy is ready
+      status: "True"
+      type: Admitted
@@ -0,0 +1,5 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: DeletingPolicy
+metadata:
+  name: sample-deleting-policy
+spec: {}
@@ -0,0 +1,63 @@
+-- GeneratingPolicy is a cluster-scoped resource that automatically generates
+-- Kubernetes resources based on CEL-based match rules and trigger conditions.
+--
+-- Documentation:
+--   Policy types overview: https://kyverno.io/docs/policy-types/generating-policy/
+--
+-- Condition types and reasons are defined in:
+--   https://github.com/kyverno/kyverno/tree/main/config/crds/policies.kyverno.io/policies.kyverno.io_generatingpolicies.yaml
+--
+-- GeneratingPolicy exposes a conditionStatus with a ready boolean and standard
+-- Kubernetes conditions. No fixed condition type names are enforced by the CRD.
+--
+-- ArgoCD health mapping:
+--   conditionStatus.ready=true   => Healthy  (message from first True condition)
+--   conditionStatus.ready=false  => Degraded (message from first False condition)
+--   No status yet                => Progressing
+local hs = {}
+
+if obj.status ~= nil and obj.status.conditionStatus ~= nil then
+  local cs = obj.status.conditionStatus
+
+  if obj.metadata.generation ~= nil and cs.conditions ~= nil then
+    for _, condition in ipairs(cs.conditions) do
+      if condition.observedGeneration ~= nil and condition.observedGeneration < obj.metadata.generation then
+        hs.status = "Progressing"
+        hs.message = "Waiting for GeneratingPolicy status to reflect latest generation"
+        return hs
+      end
+    end
+  end
+
+  if cs.ready == true then
+    hs.status = "Healthy"
+    if cs.conditions ~= nil then
+      for _, condition in ipairs(cs.conditions) do
+        if condition.status == "True" then
+          hs.message = condition.message
+          break
+        end
+      end
+    end
+    if hs.message == nil then
+      hs.message = (cs.message ~= nil and cs.message ~= "") and cs.message or "Policy is ready"
+    end
+    return hs
+  end
+
+  hs.status = "Degraded"
+  if cs.conditions ~= nil then
+    for _, condition in ipairs(cs.conditions) do
+      if condition.status == "False" then
+        hs.message = condition.type .. ": " .. condition.message
+        return hs
+      end
+    end
+  end
+  hs.message = (cs.message ~= nil and cs.message ~= "") and cs.message or "Policy is not ready"
+  return hs
+end
+
+hs.status = "Progressing"
+hs.message = "Waiting for GeneratingPolicy status"
+return hs
@@ -0,0 +1,13 @@
+tests:
+- healthStatus:
+    status: Progressing
+    message: "Waiting for GeneratingPolicy status"
+  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Healthy
+    message: "Policy is ready"
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Degraded
+    message: "Admitted: webhook configuration failed"
+  inputPath: testdata/degraded.yaml
@@ -0,0 +1,13 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: GeneratingPolicy
+metadata:
+  name: sample-generating-policy
+spec: {}
+status:
+  conditionStatus:
+    ready: false
+    conditions:
+    - lastTransitionTime: "2025-01-01T00:00:00Z"
+      message: webhook configuration failed
+      status: "False"
+      type: Admitted
@@ -0,0 +1,13 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: GeneratingPolicy
+metadata:
+  name: sample-generating-policy
+spec: {}
+status:
+  conditionStatus:
+    ready: true
+    conditions:
+    - lastTransitionTime: "2025-01-01T00:00:00Z"
+      message: Policy is ready
+      status: "True"
+      type: Admitted
@@ -0,0 +1,5 @@
+apiVersion: policies.kyverno.io/v1alpha1
+kind: GeneratingPolicy
+metadata:
+  name: sample-generating-policy
+spec: {}
@@ -0,0 +1,66 @@
+-- ImageValidatingPolicy is a cluster-scoped resource that defines CEL-based
+-- image signature and attestation validation rules applied to container images
+-- during admission via a Kyverno webhook.
+--
+-- Documentation:
+--   Policy types overview: https://kyverno.io/docs/policy-types/image-validating-policy/
+--
+-- Condition types and reasons are defined in:
+--   https://github.com/kyverno/kyverno/tree/main/config/crds/policies.kyverno.io/policies.kyverno.io_imagevalidatingpolicies.yaml
+--
+-- ImageValidatingPolicy exposes a conditionStatus with a ready boolean and
+-- standard Kubernetes conditions, including:
+--   WebhookConfigured (True)  - Kyverno webhook is configured for the policy
+--   WebhookConfigured (False) - Webhook configuration failed
+--
+-- ArgoCD health mapping:
+--   conditionStatus.ready=true   => Healthy  (WebhookConfigured condition message)
+--   conditionStatus.ready=false  => Degraded (message from first False condition)
+--   No status yet                => Progressing
+local hs = {}
+
+if obj.status ~= nil and obj.status.conditionStatus ~= nil then
+  local cs = obj.status.conditionStatus
+
+  if obj.metadata.generation ~= nil and cs.conditions ~= nil then
+    for _, condition in ipairs(cs.conditions) do
+      if condition.observedGeneration ~= nil and condition.observedGeneration < obj.metadata.generation then
+        hs.status = "Progressing"
+        hs.message = "Waiting for ImageValidatingPolicy status to reflect latest generation"
+        return hs
+      end
+    end
+  end
+
+  if cs.ready == true then
+    hs.status = "Healthy"
+    if cs.conditions ~= nil then
+      for _, condition in ipairs(cs.conditions) do
+        if condition.type == "WebhookConfigured" and condition.status == "True" then
+          hs.message = condition.message
+          break
+        end
+      end
+    end
+    if hs.message == nil then
+      hs.message = (cs.message ~= nil and cs.message ~= "") and cs.message or "Policy is ready"
+    end
+    return hs
+  end
+
+  hs.status = "Degraded"
+  if cs.conditions ~= nil then
+    for _, condition in ipairs(cs.conditions) do
+      if condition.status == "False" then
+        hs.message = condition.type .. ": " .. condition.message
+        return hs
+      end
+    end
+  end
+  hs.message = (cs.message ~= nil and cs.message ~= "") and cs.message or "Policy is not ready"
+  return hs
+end
+
+hs.status = "Progressing"
+hs.message = "Waiting for ImageValidatingPolicy status"
+return hs
@@ -0,0 +1,13 @@
+tests:
+- healthStatus:
+    status: Progressing
+    message: "Waiting for ImageValidatingPolicy status"
+  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Healthy
+    message: "webhook configured"
+  inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Degraded
+    message: "WebhookConfigured: webhook configuration failed"
+  inputPath: testdata/degraded.yaml