Skip to content

feat: add UseServerSideApply to GeneratingPolicySpec #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
remo-lab wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add UseServerSideApply to GeneratingPolicySpec #43

remo-lab wants to merge 1 commit into from
+18 −0

Conversation

@remo-lab
Copy link

@remo-lab remo-lab commented Jan 26, 2026
edited
Loading

What this PR does

This PR adds a new optional field, spec.useServerSideApply, to GeneratingPolicy (and NamespacedGeneratingPolicy) specs.

This brings GeneratingPolicy in line with existing behavior in ClusterPolicy / Policy, where users can choose between:

  • traditional Create/Update
  • or Kubernetes Server-Side Apply (SSA)

Why this is needed

Currently:

  • useServerSideApply exists for generate rules in ClusterPolicy / Policy
  • but GeneratingPolicy does not expose this option
  • generated resources from GeneratingPolicy always use Create/Update

This is limiting for users running:

  • multiple controllers managing the same resources
  • environments that rely on SSA field ownership
  • modern GitOps-style workflows

This gap is tracked in Issue [(https://github.com/kyverno/kyverno/issues/14853)].

What changed

  • Added UseServerSideApply field to:

    • GeneratingPolicySpec
    • (and NamespacedGeneratingPolicy spec where applicable)

  • Field is optional and defaults to false

  • Includes comments and JSON tags consistent with existing API patterns

  • CRDs regenerated accordingly

// UseServerSideApply controls whether to use server-side apply for generate rules.
// If set to true, generated resources will be created and updated using SSA.
// Defaults to false.
UseServerSideApply bool `json:"useServerSideApply,omitempty"`

How this relates to the Kyverno implementation

This PR only defines the API contract.

A follow-up PR in the main kyverno/kyverno repository:

  • reads this field from the policy spec

  • passes it through the CEL engine and controllers

  • switches resource creation/update logic between:

    • CreateResource / UpdateResource
    • and ApplyResource when SSA is enabled

Keeping the API change separate makes the review smaller and cleaner, and avoids mixing API evolution with controller logic.

Backward compatibility

  • Fully backward compatible
  • Existing GeneratingPolicies continue to behave exactly the same
  • SSA is opt-in only

Related issue

  • Fixes / implements: #14853

@remo-lab
feat: add UseServerSideApply to GeneratingPolicySpec
b160067 
Signed-off-by: remo-lab <remopanda7@gmail.com>
@remo-lab
Copy link
Author

remo-lab commented Jan 26, 2026

Hey @eddycharly ,
This PR adds the API field needed for useServerSideApply support in GeneratingPolicy.
A follow-up PR in kyverno/kyverno wires this through the engine and controllers to actually enable SSA for generated resources.
Would really appreciate a quick review when you get a chance — thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@remo-lab