2020-06-05 13:51:22 -07:00
apiVersion : v1
kind : Namespace
metadata :
name : kyverno
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
metadata :
name : clusterpolicies.kyverno.io
spec :
group : kyverno.io
names :
kind : ClusterPolicy
plural : clusterpolicies
shortNames :
- cpol
singular : clusterpolicy
scope : Cluster
subresources :
status : {}
validation :
openAPIV3Schema :
properties :
spec :
properties :
background :
type : boolean
rules :
items :
properties :
exclude :
properties :
clusterRoles :
items :
type : string
type : array
resources :
properties :
2020-08-21 11:12:55 -07:00
annotations :
additionalProperties :
type : string
type : object
2020-06-05 13:51:22 -07:00
kinds :
items :
type : string
type : array
name :
type : string
namespaces :
items :
type : string
type : array
selector :
properties :
matchExpressions :
items :
properties :
key :
type : string
operator :
type : string
values :
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
type : object
type : object
roles :
items :
type : string
type : array
subjects :
items :
properties :
apiGroup :
type : string
kind :
type : string
name :
type : string
namespace :
type : string
required :
- kind
- name
type : object
type : array
type : object
generate :
properties :
2020-08-07 09:47:33 +05:30
apiVersion :
type : string
2020-06-05 13:51:22 -07:00
clone :
properties :
name :
type : string
namespace :
type : string
required :
- namespace
- name
type : object
2020-08-13 11:57:35 -07:00
data : {}
2020-06-05 13:51:22 -07:00
kind :
type : string
name :
type : string
namespace :
type : string
2020-06-22 18:49:43 -07:00
synchronize :
type : boolean
2020-06-05 13:51:22 -07:00
required :
- kind
- name
type : object
match :
properties :
clusterRoles :
items :
type : string
type : array
resources :
minProperties : 1
properties :
2020-08-21 11:12:55 -07:00
annotations :
additionalProperties :
type : string
type : object
2020-06-05 13:51:22 -07:00
kinds :
items :
type : string
type : array
name :
type : string
namespaces :
items :
type : string
type : array
selector :
properties :
matchExpressions :
items :
properties :
key :
type : string
operator :
type : string
values :
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
type : object
type : object
roles :
items :
type : string
type : array
subjects :
items :
properties :
apiGroup :
type : string
kind :
type : string
name :
type : string
namespace :
type : string
required :
- kind
- name
type : object
type : array
required :
- resources
type : object
mutate :
properties :
2020-08-13 11:57:35 -07:00
overlay : {}
patchStrategicMerge : {}
2020-06-05 13:51:22 -07:00
patches :
items :
properties :
op :
enum :
- add
- replace
- remove
type : string
path :
type : string
2020-08-13 11:57:35 -07:00
value : {}
2020-06-05 13:51:22 -07:00
required :
- path
- op
type : object
type : array
2020-08-05 09:11:23 -07:00
patchesJson6902 :
type : string
2020-06-05 13:51:22 -07:00
type : object
name :
type : string
preconditions :
items :
required :
- key
- operator
- value
type : object
type : array
validate :
properties :
2020-08-13 11:57:35 -07:00
anyPattern : {}
2020-06-05 13:51:22 -07:00
deny :
properties :
conditions :
items :
properties :
key :
type : string
operator :
enum :
- Equal
- Equals
- NotEqual
- NotEquals
2020-06-12 15:48:19 +05:30
- In
- NotIn
2020-06-05 13:51:22 -07:00
type : string
value :
2020-06-24 12:27:08 +05:30
anyOf :
- type : string
2020-07-10 20:04:52 -07:00
- items : {}
type : array
2020-06-05 13:51:22 -07:00
required :
- key
- operator
- value
type : object
type : array
message :
type : string
2020-08-13 11:57:35 -07:00
pattern : {}
2020-06-05 13:51:22 -07:00
type : object
required :
- name
- match
type : object
type : array
validationFailureAction :
enum :
- enforce
- audit
type : string
required :
- rules
status : {}
versions :
- name : v1
served : true
storage : true
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
2020-08-26 18:50:38 +05:30
metadata :
annotations :
2020-10-22 16:15:43 -07:00
controller-gen.kubebuilder.io/version : v0.2.5
creationTimestamp : null
2020-10-30 17:33:20 -07:00
name : clusterpolicyreports.policy.k8s.io
2020-08-26 18:50:38 +05:30
spec :
additionalPrinterColumns :
- JSONPath : .scope.kind
name : Kind
priority : 1
type : string
- JSONPath : .scope.name
name : Name
priority : 1
type : string
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.pass
2020-08-26 18:50:38 +05:30
name : Pass
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.fail
2020-08-26 18:50:38 +05:30
name : Fail
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.warn
2020-08-26 18:50:38 +05:30
name : Warn
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.error
2020-08-26 18:50:38 +05:30
name : Error
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.skip
2020-08-26 18:50:38 +05:30
name : Skip
type : integer
- JSONPath : .metadata.creationTimestamp
name : Age
type : date
2020-10-30 17:33:20 -07:00
group : policy.k8s.io
2020-08-26 18:50:38 +05:30
names :
kind : ClusterPolicyReport
listKind : ClusterPolicyReportList
plural : clusterpolicyreports
2020-10-14 19:23:08 -07:00
shortNames :
- cpolr
2020-08-26 18:50:38 +05:30
singular : clusterpolicyreport
scope : Namespaced
subresources : {}
validation :
openAPIV3Schema :
2020-09-10 10:19:36 -07:00
description : ClusterPolicyReport is the Schema for the clusterpolicyreports
API
2020-08-26 18:50:38 +05:30
properties :
apiVersion :
2020-09-10 10:19:36 -07:00
description : 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-26 18:50:38 +05:30
type : string
kind :
2020-09-10 10:19:36 -07:00
description : 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-26 18:50:38 +05:30
type : string
metadata :
type : object
results :
description : PolicyReportResult provides result details
items :
2020-09-10 10:19:36 -07:00
description : PolicyReportResult provides the result for an individual
2020-09-16 06:56:38 -07:00
policy
2020-08-26 18:50:38 +05:30
properties :
2020-10-22 16:15:43 -07:00
category :
description : Category indicates policy category
type : string
2020-08-26 18:50:38 +05:30
data :
additionalProperties :
type : string
description : Data provides additional information for the policy rule
type : object
message :
2020-09-10 10:19:36 -07:00
description : Message is a short user friendly description of the policy
rule
2020-08-26 18:50:38 +05:30
type : string
policy :
description : Policy is the name of the policy
type : string
2020-09-03 22:35:34 +05:30
resourceSelector :
2020-09-16 06:56:38 -07:00
description : ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
2020-09-03 22:35:34 +05:30
properties :
matchExpressions :
2020-09-10 10:19:36 -07:00
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
2020-09-03 22:35:34 +05:30
items :
2020-09-10 10:19:36 -07:00
description : A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
2020-09-03 22:35:34 +05:30
properties :
key :
2020-09-10 10:19:36 -07:00
description : key is the label key that the selector applies
to.
2020-09-03 22:35:34 +05:30
type : string
operator :
2020-09-10 10:19:36 -07:00
description : operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
2020-09-03 22:35:34 +05:30
type : string
values :
2020-09-10 10:19:36 -07:00
description : values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
2020-09-03 22:35:34 +05:30
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
2020-09-10 10:19:36 -07:00
description : matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
2020-09-03 22:35:34 +05:30
type : object
type : object
2020-09-16 06:56:38 -07:00
resources :
description : Resources is an optional reference to the resource checked
by the policy and rule
items :
description : 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration :
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
description : 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like : "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO : this design is not final and this field is
subject to change in the future.'
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
description : 'Specific resourceVersion to which this reference
is made, if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
type : array
2020-08-26 18:50:38 +05:30
rule :
description : Rule is the name of the policy rule
type : string
scored :
description : Scored indicates if this policy rule is scored
type : boolean
2020-10-22 16:15:43 -07:00
severity :
description : Severity indicates policy severity
enum :
- High
- Low
- Medium
type : string
2020-08-26 18:50:38 +05:30
status :
description : Status indicates the result of the policy rule check
enum :
2020-10-30 18:01:46 -07:00
- pass
- fail
- warn
- error
- skip
2020-08-26 18:50:38 +05:30
type : string
required :
- policy
type : object
type : array
scope :
2020-10-22 16:15:43 -07:00
description : Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
2020-08-26 18:50:38 +05:30
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
2020-09-10 10:19:36 -07:00
description : 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like : "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO : this design is not final and this field
is subject to change in the future.'
2020-08-26 18:50:38 +05:30
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
2020-09-10 10:19:36 -07:00
description : 'Specific resourceVersion to which this reference is made,
if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
2020-08-26 18:50:38 +05:30
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
2020-09-03 22:35:34 +05:30
scopeSelector :
2020-09-10 10:19:36 -07:00
description : ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
2020-09-03 22:35:34 +05:30
properties :
matchExpressions :
2020-09-10 10:19:36 -07:00
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
2020-09-03 22:35:34 +05:30
items :
2020-09-10 10:19:36 -07:00
description : A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
2020-09-03 22:35:34 +05:30
properties :
key :
description : key is the label key that the selector applies to.
type : string
operator :
2020-09-10 10:19:36 -07:00
description : operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2020-09-03 22:35:34 +05:30
type : string
values :
2020-09-10 10:19:36 -07:00
description : values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
2020-09-03 22:35:34 +05:30
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
2020-09-10 10:19:36 -07:00
description : matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
2020-09-03 22:35:34 +05:30
type : object
type : object
2020-08-26 18:50:38 +05:30
summary :
description : PolicyReportSummary provides a summary of results
properties :
2020-10-30 18:01:46 -07:00
error :
2020-09-16 06:56:38 -07:00
description : Error provides the count of policies that could not be
evaluated
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
fail :
2020-09-16 06:56:38 -07:00
description : Fail provides the count of policies whose requirements
were not met
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
pass :
2020-09-16 06:56:38 -07:00
description : Pass provides the count of policies whose requirements
were met
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
skip :
2020-09-16 06:56:38 -07:00
description : Skip indicates the count of policies that were not selected
for evaluation
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
warn :
2020-09-16 06:56:38 -07:00
description : Warn provides the count of unscored policies whose requirements
were not met
2020-08-26 18:50:38 +05:30
type : integer
type : object
type : object
version : v1alpha1
versions :
- name : v1alpha1
served : true
storage : true
status :
acceptedNames :
kind : ""
plural : ""
conditions : [ ]
storedVersions : [ ]
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
2020-06-05 13:51:22 -07:00
metadata :
2020-10-22 16:15:43 -07:00
annotations :
controller-gen.kubebuilder.io/version : v0.2.5
creationTimestamp : null
2020-10-30 19:26:53 -07:00
name : clusterreportchangerequests.kyverno.io
2020-06-05 13:51:22 -07:00
spec :
additionalPrinterColumns :
2020-10-22 16:15:43 -07:00
- JSONPath : .scope.kind
name : Kind
priority : 1
2020-06-05 13:51:22 -07:00
type : string
2020-10-22 16:15:43 -07:00
- JSONPath : .scope.name
name : Name
priority : 1
2020-06-05 13:51:22 -07:00
type : string
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.pass
2020-10-22 16:15:43 -07:00
name : Pass
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.fail
2020-10-22 16:15:43 -07:00
name : Fail
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.warn
2020-10-22 16:15:43 -07:00
name : Warn
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.error
2020-10-22 16:15:43 -07:00
name : Error
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.skip
2020-10-22 16:15:43 -07:00
name : Skip
type : integer
2020-06-05 13:51:22 -07:00
- JSONPath : .metadata.creationTimestamp
name : Age
type : date
2020-10-30 19:26:53 -07:00
group : kyverno.io
2020-06-05 13:51:22 -07:00
names :
2020-10-28 15:36:50 -07:00
kind : ClusterReportChangeRequest
listKind : ClusterReportChangeRequestList
plural : clusterreportchangerequests
singular : clusterreportchangerequest
2020-06-05 13:51:22 -07:00
scope : Namespaced
2020-10-22 16:15:43 -07:00
subresources : {}
2020-06-05 13:51:22 -07:00
validation :
openAPIV3Schema :
2020-10-28 15:36:50 -07:00
description : ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests
API
2020-06-05 13:51:22 -07:00
properties :
2020-10-22 16:15:43 -07:00
apiVersion :
description : 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type : string
kind :
description : 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
metadata :
type : object
results :
description : PolicyReportResult provides result details
items :
description : PolicyReportResult provides the result for an individual
policy
properties :
category :
description : Category indicates policy category
type : string
data :
additionalProperties :
2020-06-05 13:51:22 -07:00
type : string
2020-10-22 16:15:43 -07:00
description : Data provides additional information for the policy rule
type : object
message :
description : Message is a short user friendly description of the policy
rule
type : string
policy :
description : Policy is the name of the policy
type : string
resourceSelector :
description : ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
2020-08-19 21:37:23 +05:30
properties :
2020-10-22 16:15:43 -07:00
matchExpressions :
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items :
description : A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties :
key :
description : key is the label key that the selector applies
to.
2020-08-19 21:37:23 +05:30
type : string
2020-10-22 16:15:43 -07:00
operator :
description : operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
2020-08-19 21:37:23 +05:30
type : string
2020-10-22 16:15:43 -07:00
values :
description : values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items :
2020-08-19 21:37:23 +05:30
type : string
2020-10-22 16:15:43 -07:00
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type : object
type : object
resources :
description : Resources is an optional reference to the resource checked
by the policy and rule
items :
description : 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration :
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
description : 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like : "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO : this design is not final and this field is
subject to change in the future.'
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
description : 'Specific resourceVersion to which this reference
is made, if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
type : array
rule :
description : Rule is the name of the policy rule
type : string
scored :
description : Scored indicates if this policy rule is scored
type : boolean
severity :
description : Severity indicates policy severity
enum :
- High
- Low
- Medium
type : string
status :
description : Status indicates the result of the policy rule check
enum :
2020-10-30 18:01:46 -07:00
- pass
- fail
- warn
- error
- skip
2020-10-22 16:15:43 -07:00
type : string
required :
- policy
type : object
type : array
scope :
description : Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
description : 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like : "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO : this design is not final and this field
is subject to change in the future.'
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
description : 'Specific resourceVersion to which this reference is made,
if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
scopeSelector :
description : ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties :
matchExpressions :
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items :
description : A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties :
key :
description : key is the label key that the selector applies to.
type : string
operator :
description : operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type : object
type : object
summary :
description : PolicyReportSummary provides a summary of results
properties :
2020-10-30 18:01:46 -07:00
error :
2020-10-22 16:15:43 -07:00
description : Error provides the count of policies that could not be
evaluated
type : integer
2020-10-30 18:01:46 -07:00
fail :
2020-10-22 16:15:43 -07:00
description : Fail provides the count of policies whose requirements
were not met
type : integer
2020-10-30 18:01:46 -07:00
pass :
2020-10-22 16:15:43 -07:00
description : Pass provides the count of policies whose requirements
were met
type : integer
2020-10-30 18:01:46 -07:00
skip :
2020-10-22 16:15:43 -07:00
description : Skip indicates the count of policies that were not selected
for evaluation
type : integer
2020-10-30 18:01:46 -07:00
warn :
2020-10-22 16:15:43 -07:00
description : Warn provides the count of unscored policies whose requirements
were not met
type : integer
type : object
type : object
version : v1alpha1
versions :
- name : v1alpha1
served : true
storage : true
status :
acceptedNames :
kind : ""
plural : ""
conditions : [ ]
storedVersions : [ ]
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
metadata :
name : generaterequests.kyverno.io
spec :
additionalPrinterColumns :
- JSONPath : .spec.policy
description : The policy that resulted in the violation
name : Policy
type : string
- JSONPath : .spec.resource.kind
description : The resource kind that cause the violation
name : ResourceKind
type : string
- JSONPath : .spec.resource.name
description : The resource name that caused the violation
name : ResourceName
type : string
- JSONPath : .spec.resource.namespace
description : The resource namespace that caused the violation
name : ResourceNamespace
type : string
- JSONPath : .status.state
description : Current state of generate request
name : status
type : string
- JSONPath : .metadata.creationTimestamp
name : Age
type : date
group : kyverno.io
names :
kind : GenerateRequest
plural : generaterequests
shortNames :
- gr
singular : generaterequest
scope : Namespaced
subresources :
status : {}
validation :
openAPIV3Schema :
properties :
spec :
properties :
policy :
type : string
resource :
properties :
kind :
type : string
name :
type : string
namespace :
type : string
required :
- kind
- name
type : object
required :
- policy
- resource
versions :
- name : v1
served : true
storage : true
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
metadata :
name : policies.kyverno.io
spec :
group : kyverno.io
names :
kind : Policy
plural : policies
shortNames :
- pol
singular : policy
scope : Namespaced
subresources :
status : {}
validation :
openAPIV3Schema :
properties :
spec :
properties :
background :
type : boolean
rules :
items :
properties :
exclude :
properties :
clusterRoles :
items :
type : string
type : array
resources :
properties :
kinds :
items :
type : string
type : array
name :
type : string
selector :
properties :
matchExpressions :
items :
properties :
key :
type : string
operator :
type : string
values :
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
type : object
type : object
roles :
items :
type : string
type : array
subjects :
items :
properties :
apiGroup :
type : string
kind :
type : string
name :
type : string
namespace :
type : string
required :
- kind
- name
type : object
type : array
type : object
generate :
properties :
apiVersion :
type : string
clone :
properties :
name :
type : string
namespace :
type : string
required :
- namespace
- name
type : object
data : {}
kind :
type : string
name :
type : string
namespace :
type : string
synchronize :
type : boolean
required :
- kind
- name
2020-08-19 21:37:23 +05:30
type : object
match :
properties :
clusterRoles :
items :
type : string
2020-10-22 16:15:43 -07:00
type : array
resources :
minProperties : 1
properties :
kinds :
items :
type : string
type : array
name :
type : string
selector :
properties :
matchExpressions :
items :
properties :
key :
type : string
operator :
type : string
values :
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
type : object
type : object
roles :
items :
type : string
type : array
subjects :
items :
properties :
apiGroup :
type : string
kind :
type : string
name :
type : string
namespace :
type : string
required :
- kind
- name
type : object
type : array
required :
- resources
type : object
mutate :
properties :
overlay : {}
patchStrategicMerge : {}
patches :
items :
properties :
op :
enum :
- add
- replace
- remove
type : string
path :
type : string
value : {}
required :
- path
- op
type : object
type : array
patchesJson6902 :
type : string
type : object
name :
type : string
preconditions :
items :
required :
- key
- operator
- value
type : object
type : array
validate :
properties :
anyPattern : {}
deny :
properties :
conditions :
items :
properties :
key :
type : string
operator :
enum :
- Equal
- Equals
- NotEqual
- NotEquals
- In
- NotIn
type : string
value :
anyOf :
- type : string
- items : {}
type : array
required :
- key
- operator
- value
type : object
type : array
message :
type : string
pattern : {}
type : object
required :
- name
- match
type : object
type : array
validationFailureAction :
enum :
- enforce
- audit
type : string
required :
- rules
status : {}
versions :
- name : v1
served : true
storage : true
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
metadata :
annotations :
controller-gen.kubebuilder.io/version : v0.2.5
creationTimestamp : null
2020-10-30 17:33:20 -07:00
name : policyreports.policy.k8s.io
2020-10-22 16:15:43 -07:00
spec :
additionalPrinterColumns :
- JSONPath : .scope.kind
name : Kind
priority : 1
type : string
- JSONPath : .scope.name
name : Name
priority : 1
type : string
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.pass
2020-10-22 16:15:43 -07:00
name : Pass
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.fail
2020-10-22 16:15:43 -07:00
name : Fail
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.warn
2020-10-22 16:15:43 -07:00
name : Warn
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.error
2020-10-22 16:15:43 -07:00
name : Error
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.skip
2020-10-22 16:15:43 -07:00
name : Skip
type : integer
- JSONPath : .metadata.creationTimestamp
name : Age
type : date
2020-10-30 17:33:20 -07:00
group : policy.k8s.io
2020-10-22 16:15:43 -07:00
names :
kind : PolicyReport
listKind : PolicyReportList
plural : policyreports
shortNames :
- polr
singular : policyreport
scope : Namespaced
subresources : {}
validation :
openAPIV3Schema :
description : PolicyReport is the Schema for the policyreports API
properties :
apiVersion :
description : 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type : string
kind :
description : 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
metadata :
type : object
results :
description : PolicyReportResult provides result details
items :
description : PolicyReportResult provides the result for an individual
policy
properties :
category :
description : Category indicates policy category
type : string
data :
additionalProperties :
type : string
description : Data provides additional information for the policy rule
type : object
message :
description : Message is a short user friendly description of the policy
rule
type : string
policy :
description : Policy is the name of the policy
type : string
resourceSelector :
description : ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties :
matchExpressions :
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items :
description : A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties :
key :
description : key is the label key that the selector applies
to.
type : string
operator :
description : operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
2020-08-19 21:37:23 +05:30
type : string
2020-10-22 16:15:43 -07:00
values :
description : values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
2020-08-19 21:37:23 +05:30
type : object
2020-10-22 16:15:43 -07:00
type : object
resources :
description : Resources is an optional reference to the resource checked
by the policy and rule
items :
description : 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration :
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
description : 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like : "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO : this design is not final and this field is
subject to change in the future.'
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
description : 'Specific resourceVersion to which this reference
is made, if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
type : array
rule :
description : Rule is the name of the policy rule
type : string
scored :
description : Scored indicates if this policy rule is scored
type : boolean
severity :
description : Severity indicates policy severity
enum :
- High
- Low
- Medium
type : string
status :
description : Status indicates the result of the policy rule check
enum :
2020-10-30 18:01:46 -07:00
- pass
- fail
- warn
- error
- skip
2020-10-22 16:15:43 -07:00
type : string
required :
- policy
type : object
type : array
scope :
description : Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
description : 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like : "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO : this design is not final and this field
is subject to change in the future.'
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
description : 'Specific resourceVersion to which this reference is made,
if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
scopeSelector :
description : ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties :
matchExpressions :
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items :
description : A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties :
key :
description : key is the label key that the selector applies to.
type : string
operator :
description : operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
2020-08-19 21:37:23 +05:30
type : string
2020-10-22 16:15:43 -07:00
values :
description : values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
2020-08-19 21:37:23 +05:30
items :
2020-10-22 16:15:43 -07:00
type : string
2020-08-19 21:37:23 +05:30
type : array
required :
2020-10-22 16:15:43 -07:00
- key
- operator
2020-08-19 21:37:23 +05:30
type : object
type : array
2020-10-22 16:15:43 -07:00
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type : object
type : object
summary :
description : PolicyReportSummary provides a summary of results
properties :
2020-10-30 18:01:46 -07:00
error :
2020-10-22 16:15:43 -07:00
description : Error provides the count of policies that could not be
evaluated
type : integer
2020-10-30 18:01:46 -07:00
fail :
2020-10-22 16:15:43 -07:00
description : Fail provides the count of policies whose requirements
were not met
type : integer
2020-10-30 18:01:46 -07:00
pass :
2020-10-22 16:15:43 -07:00
description : Pass provides the count of policies whose requirements
were met
type : integer
2020-10-30 18:01:46 -07:00
skip :
2020-10-22 16:15:43 -07:00
description : Skip indicates the count of policies that were not selected
for evaluation
type : integer
2020-10-30 18:01:46 -07:00
warn :
2020-10-22 16:15:43 -07:00
description : Warn provides the count of unscored policies whose requirements
were not met
type : integer
type : object
type : object
version : v1alpha1
versions :
- name : v1alpha1
served : true
storage : true
status :
acceptedNames :
kind : ""
plural : ""
conditions : [ ]
storedVersions : [ ]
---
apiVersion : apiextensions.k8s.io/v1beta1
kind : CustomResourceDefinition
2020-08-26 18:50:38 +05:30
metadata :
annotations :
2020-10-22 16:15:43 -07:00
controller-gen.kubebuilder.io/version : v0.2.5
creationTimestamp : null
2020-10-30 19:26:53 -07:00
name : reportchangerequests.kyverno.io
2020-08-26 18:50:38 +05:30
spec :
additionalPrinterColumns :
- JSONPath : .scope.kind
name : Kind
priority : 1
type : string
- JSONPath : .scope.name
name : Name
priority : 1
type : string
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.pass
2020-08-26 18:50:38 +05:30
name : Pass
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.fail
2020-08-26 18:50:38 +05:30
name : Fail
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.warn
2020-08-26 18:50:38 +05:30
name : Warn
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.error
2020-08-26 18:50:38 +05:30
name : Error
type : integer
2020-10-30 18:01:46 -07:00
- JSONPath : .summary.skip
2020-08-26 18:50:38 +05:30
name : Skip
type : integer
- JSONPath : .metadata.creationTimestamp
name : Age
type : date
2020-10-30 19:26:53 -07:00
group : kyverno.io
2020-08-26 18:50:38 +05:30
names :
2020-10-28 15:36:50 -07:00
kind : ReportChangeRequest
listKind : ReportChangeRequestList
plural : reportchangerequests
singular : reportchangerequest
2020-08-26 18:50:38 +05:30
scope : Namespaced
subresources : {}
validation :
openAPIV3Schema :
2020-10-28 15:36:50 -07:00
description : ReportChangeRequest is the Schema for the ReportChangeRequests
API
2020-08-26 18:50:38 +05:30
properties :
apiVersion :
2020-09-10 10:19:36 -07:00
description : 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
2020-08-26 18:50:38 +05:30
type : string
kind :
2020-09-10 10:19:36 -07:00
description : 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
2020-08-26 18:50:38 +05:30
type : string
metadata :
type : object
results :
description : PolicyReportResult provides result details
items :
2020-09-10 10:19:36 -07:00
description : PolicyReportResult provides the result for an individual
2020-09-16 06:56:38 -07:00
policy
2020-08-26 18:50:38 +05:30
properties :
2020-10-22 16:15:43 -07:00
category :
description : Category indicates policy category
type : string
2020-08-26 18:50:38 +05:30
data :
additionalProperties :
type : string
description : Data provides additional information for the policy rule
type : object
message :
2020-09-10 10:19:36 -07:00
description : Message is a short user friendly description of the policy
rule
2020-08-26 18:50:38 +05:30
type : string
policy :
description : Policy is the name of the policy
type : string
2020-09-03 22:35:34 +05:30
resourceSelector :
2020-09-16 06:56:38 -07:00
description : ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
2020-09-03 22:35:34 +05:30
properties :
matchExpressions :
2020-09-10 10:19:36 -07:00
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
2020-09-03 22:35:34 +05:30
items :
2020-09-10 10:19:36 -07:00
description : A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
2020-09-03 22:35:34 +05:30
properties :
key :
2020-09-10 10:19:36 -07:00
description : key is the label key that the selector applies
to.
2020-09-03 22:35:34 +05:30
type : string
operator :
2020-09-10 10:19:36 -07:00
description : operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
2020-09-03 22:35:34 +05:30
type : string
values :
2020-09-10 10:19:36 -07:00
description : values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
2020-09-03 22:35:34 +05:30
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
2020-09-10 10:19:36 -07:00
description : matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
2020-09-03 22:35:34 +05:30
type : object
type : object
2020-09-16 06:56:38 -07:00
resources :
description : Resources is an optional reference to the resource checked
by the policy and rule
items :
description : 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration :
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
description : 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like : "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO : this design is not final and this field is
subject to change in the future.'
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
description : 'Specific resourceVersion to which this reference
is made, if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
type : array
2020-08-26 18:50:38 +05:30
rule :
description : Rule is the name of the policy rule
type : string
scored :
description : Scored indicates if this policy rule is scored
type : boolean
2020-10-22 16:15:43 -07:00
severity :
description : Severity indicates policy severity
enum :
- High
- Low
- Medium
type : string
2020-08-26 18:50:38 +05:30
status :
description : Status indicates the result of the policy rule check
enum :
2020-10-30 18:01:46 -07:00
- pass
- fail
- warn
- error
- skip
2020-08-26 18:50:38 +05:30
type : string
required :
- policy
type : object
type : array
scope :
2020-09-10 10:19:36 -07:00
description : Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
2020-08-26 18:50:38 +05:30
properties :
apiVersion :
description : API version of the referent.
type : string
fieldPath :
2020-09-10 10:19:36 -07:00
description : 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like : "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO : this design is not final and this field
is subject to change in the future.'
2020-08-26 18:50:38 +05:30
type : string
kind :
description: 'Kind of the referent. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
name :
description: 'Name of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type : string
namespace :
description: 'Namespace of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type : string
resourceVersion :
2020-09-10 10:19:36 -07:00
description : 'Specific resourceVersion to which this reference is made,
if any. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
2020-08-26 18:50:38 +05:30
type : string
uid :
description: 'UID of the referent. More info : https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type : string
type : object
2020-09-15 11:20:08 -07:00
scopeSelector :
description : ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties :
matchExpressions :
description : matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items :
description : A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties :
key :
description : key is the label key that the selector applies to.
type : string
operator :
description : operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type : object
type : object
2020-08-26 18:50:38 +05:30
summary :
description : PolicyReportSummary provides a summary of results
properties :
2020-10-30 18:01:46 -07:00
error :
2020-09-16 06:56:38 -07:00
description : Error provides the count of policies that could not be
evaluated
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
fail :
2020-09-16 06:56:38 -07:00
description : Fail provides the count of policies whose requirements
were not met
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
pass :
2020-09-16 06:56:38 -07:00
description : Pass provides the count of policies whose requirements
were met
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
skip :
2020-09-16 06:56:38 -07:00
description : Skip indicates the count of policies that were not selected
for evaluation
2020-08-26 18:50:38 +05:30
type : integer
2020-10-30 18:01:46 -07:00
warn :
2020-09-16 06:56:38 -07:00
description : Warn provides the count of unscored policies whose requirements
were not met
2020-08-26 18:50:38 +05:30
type : integer
type : object
type : object
version : v1alpha1
versions :
- name : v1alpha1
served : true
storage : true
status :
acceptedNames :
kind : ""
plural : ""
conditions : [ ]
storedVersions : [ ]
---
2020-06-05 13:51:22 -07:00
apiVersion : v1
kind : ServiceAccount
metadata :
name : kyverno-service-account
namespace : kyverno
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
name : kyverno:customresources
rules :
- apiGroups :
- '*'
resources :
2020-08-24 12:27:16 -07:00
- policies
- policies/status
2020-06-05 13:51:22 -07:00
- clusterpolicies
- clusterpolicies/status
2020-08-29 04:31:40 +05:30
- policyreports
- policyreports/status
- clusterpolicyreports
- clusterpolicyreports/status
2020-06-05 13:51:22 -07:00
- clusterpolicyviolations
- clusterpolicyviolations/status
- policyviolations
- policyviolations/status
- generaterequests
- generaterequests/status
2020-10-28 15:36:50 -07:00
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
2020-06-05 13:51:22 -07:00
verbs :
- create
- delete
- get
- list
- patch
- update
- watch
2020-11-02 16:59:16 -08:00
- apiGroups :
- apiextensions.k8s.io
resources :
- customresourcedefinitions
verbs :
- delete
2020-06-05 13:51:22 -07:00
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
name : kyverno:generatecontroller
rules :
- apiGroups :
- '*'
resources :
- namespaces
- networkpolicies
- secrets
- configmaps
- resourcequotas
- limitranges
- clusterroles
- rolebindings
- clusterrolebindings
verbs :
- create
- update
- delete
- get
- apiGroups :
- '*'
resources :
- namespaces
verbs :
- watch
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
name : kyverno:policycontroller
rules :
- apiGroups :
- '*'
resources :
- '*'
verbs :
- get
- list
- update
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
name : kyverno:userinfo
rules :
- apiGroups :
- '*'
resources :
2020-07-10 20:04:52 -07:00
- roles
- clusterroles
2020-06-05 13:51:22 -07:00
- rolebindings
- clusterrolebindings
- configmaps
2020-09-04 03:04:23 +05:30
- namespaces
2020-06-05 13:51:22 -07:00
verbs :
- watch
2020-09-04 03:04:23 +05:30
- list
2020-06-05 13:51:22 -07:00
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
name : kyverno:webhook
rules :
- apiGroups :
- '*'
resources :
- events
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- certificatesigningrequests
- certificatesigningrequests/approval
verbs :
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups :
- certificates.k8s.io
resourceNames :
- kubernetes.io/legacy-unknown
resources :
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs :
- create
- delete
- get
- update
- watch
- apiGroups :
- certificates.k8s.io
resourceNames :
- kubernetes.io/legacy-unknown
resources :
- signers
verbs :
- approve
---
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
metadata :
2020-08-21 11:12:55 -07:00
labels :
rbac.authorization.k8s.io/aggregate-to-admin : "true"
name : kyverno:admin-policies
2020-06-05 13:51:22 -07:00
rules :
- apiGroups :
- kyverno.io
resources :
2020-08-21 11:12:55 -07:00
- policies
2020-06-05 13:51:22 -07:00
verbs :
2020-08-21 11:12:55 -07:00
- '*'
2020-06-05 13:51:22 -07:00
---
2020-06-05 14:36:37 -07:00
apiVersion : rbac.authorization.k8s.io/v1beta1
2019-12-12 17:45:02 -08:00
kind : ClusterRole
2020-08-29 04:31:40 +05:30
metadata :
labels :
rbac.authorization.k8s.io/aggregate-to-admin : "true"
name : kyverno:admin-policyreport
rules :
- apiGroups :
2020-10-30 17:33:20 -07:00
- policy.k8s.io/v1alpha1
2020-08-29 04:31:40 +05:30
resources :
- policyreport
- clusterpolicyreport
verbs :
- '*'
---
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
2020-08-26 18:50:38 +05:30
metadata :
labels :
rbac.authorization.k8s.io/aggregate-to-edit : "true"
2020-08-29 04:31:40 +05:30
name : kyverno:edit-policies-policyreport
2020-08-26 18:50:38 +05:30
rules :
- apiGroups :
2020-10-30 17:33:20 -07:00
- policy.k8s.io/v1alpha1
2020-08-26 18:50:38 +05:30
resources :
2020-08-29 04:31:40 +05:30
- policyreport
- clusterpolicyreport
2020-08-26 18:50:38 +05:30
- policies
verbs :
- get
- list
- watch
---
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
2019-12-12 17:45:02 -08:00
metadata :
2020-06-05 14:36:37 -07:00
labels :
2020-08-21 11:12:55 -07:00
rbac.authorization.k8s.io/aggregate-to-edit : "true"
name : kyverno:edit-policies-policyviolations
2019-12-12 17:45:02 -08:00
rules :
2020-02-11 13:43:36 -08:00
- apiGroups :
2020-06-05 14:36:37 -07:00
- kyverno.io
2019-12-12 17:45:02 -08:00
resources :
2020-08-21 11:12:55 -07:00
- policyviolations
2020-02-11 13:43:36 -08:00
verbs :
2020-06-05 14:36:37 -07:00
- get
- list
2020-02-11 13:43:36 -08:00
- watch
2020-06-05 14:36:37 -07:00
---
2020-08-19 21:37:23 +05:30
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
2020-08-26 18:50:38 +05:30
metadata :
name : kyverno:policyreport
rules :
- apiGroups :
2020-10-14 19:23:08 -07:00
- '*'
2020-08-26 18:50:38 +05:30
resources :
2020-10-14 18:59:44 -07:00
- policyreports
- clusterpolicyreports
- pods
2020-02-11 13:43:36 -08:00
verbs :
2020-06-05 14:36:37 -07:00
- get
- list
2020-02-11 13:43:36 -08:00
- watch
2020-10-14 18:59:44 -07:00
- delete
2020-06-05 14:36:37 -07:00
---
2020-08-19 21:37:23 +05:30
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
metadata :
2020-08-21 11:12:55 -07:00
name : kyverno:policyviolations
2020-08-19 21:37:23 +05:30
rules :
- apiGroups :
- kyverno.io
resources :
2020-08-21 11:12:55 -07:00
- policyviolations
2020-08-19 21:37:23 +05:30
verbs :
2020-08-21 11:12:55 -07:00
- get
- list
- watch
2020-08-19 21:37:23 +05:30
---
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
2020-08-26 18:50:38 +05:30
metadata :
labels :
rbac.authorization.k8s.io/aggregate-to-admin : "true"
2020-08-29 04:31:40 +05:30
name : kyverno:view-clusterpolicyreport
2020-08-26 18:50:38 +05:30
rules :
- apiGroups :
2020-10-30 17:33:20 -07:00
- policy.k8s.io/v1alpha1
2020-08-26 18:50:38 +05:30
resources :
2020-08-29 04:31:40 +05:30
- clusterpolicyreport
2020-08-26 18:50:38 +05:30
verbs :
- get
- list
- watch
---
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
2020-08-19 21:37:23 +05:30
metadata :
labels :
2020-08-21 11:12:55 -07:00
rbac.authorization.k8s.io/aggregate-to-admin : "true"
name : kyverno:view-clusterpolicyviolations
2020-08-19 21:37:23 +05:30
rules :
- apiGroups :
- kyverno.io
resources :
2020-08-21 11:12:55 -07:00
- clusterpolicyviolations
2020-08-19 21:37:23 +05:30
verbs :
- get
- list
- watch
---
2020-06-05 14:36:37 -07:00
apiVersion : rbac.authorization.k8s.io/v1beta1
2020-02-18 17:10:15 -08:00
kind : ClusterRole
metadata :
2020-06-05 14:36:37 -07:00
labels :
rbac.authorization.k8s.io/aggregate-to-view : "true"
2020-08-19 21:37:23 +05:30
name : kyverno:view-policies-policyviolations
2020-02-18 17:10:15 -08:00
rules :
2020-02-11 13:43:36 -08:00
- apiGroups :
2020-06-05 14:36:37 -07:00
- kyverno.io
2020-02-11 13:43:36 -08:00
resources :
2020-06-05 14:36:37 -07:00
- policyviolations
2020-08-19 21:37:23 +05:30
- policies
2020-02-11 13:43:36 -08:00
verbs :
- get
- list
2020-06-05 14:36:37 -07:00
- watch
2020-02-18 17:10:15 -08:00
---
2020-08-26 18:50:38 +05:30
apiVersion : rbac.authorization.k8s.io/v1beta1
kind : ClusterRole
metadata :
labels :
rbac.authorization.k8s.io/aggregate-to-view : "true"
2020-08-29 04:31:40 +05:30
name : kyverno:view-policyreport
2020-08-26 18:50:38 +05:30
rules :
- apiGroups :
2020-10-30 17:33:20 -07:00
- policy.k8s.io/v1alpha1
2020-08-26 18:50:38 +05:30
resources :
2020-08-29 04:31:40 +05:30
- policyreport
2020-08-26 18:50:38 +05:30
verbs :
- get
- list
- watch
---
2020-06-05 13:51:22 -07:00
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
name : kyverno:customresources
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : kyverno:customresources
subjects :
- kind : ServiceAccount
name : kyverno-service-account
namespace : kyverno
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
name : kyverno:generatecontroller
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : kyverno:generatecontroller
subjects :
- kind : ServiceAccount
name : kyverno-service-account
namespace : kyverno
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
name : kyverno:policycontroller
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : kyverno:policycontroller
subjects :
- kind : ServiceAccount
name : kyverno-service-account
namespace : kyverno
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
2020-10-14 18:59:44 -07:00
metadata :
name : kyverno:policyreport
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : kyverno:policyreport
subjects :
- kind : ServiceAccount
name : kyverno-service-account
namespace : kyverno
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
2020-06-05 13:51:22 -07:00
metadata :
name : kyverno:userinfo
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : kyverno:userinfo
subjects :
- kind : ServiceAccount
name : kyverno-service-account
namespace : kyverno
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
name : kyverno:webhook
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : kyverno:webhook
subjects :
- kind : ServiceAccount
name : kyverno-service-account
namespace : kyverno
---
apiVersion : v1
data :
2020-08-07 17:09:24 -07:00
excludeGroupRole : system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
2020-10-28 15:36:50 -07:00
resourceFilters : '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
2020-06-05 13:51:22 -07:00
kind : ConfigMap
metadata :
name : init-config
namespace : kyverno
---
apiVersion : v1
kind : Service
metadata :
labels :
app : kyverno
name : kyverno-svc
namespace : kyverno
spec :
ports :
- port : 443
2020-10-22 11:26:22 -07:00
targetPort : https
2020-06-05 13:51:22 -07:00
selector :
app : kyverno
---
apiVersion : apps/v1
kind : Deployment
metadata :
labels :
app : kyverno
name : kyverno
namespace : kyverno
spec :
replicas : 1
selector :
matchLabels :
app : kyverno
template :
metadata :
labels :
app : kyverno
spec :
containers :
- args :
2020-10-28 15:36:50 -07:00
- --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]
2020-06-05 13:51:22 -07:00
- -v=2
env :
- name : INIT_CONFIG
value : init-config
2020-07-02 03:20:49 +05:30
- name : KYVERNO_NAMESPACE
valueFrom :
fieldRef :
fieldPath : metadata.namespace
2020-07-05 08:05:31 +05:30
- name : KYVERNO_SVC
value : kyverno-svc
2020-10-22 13:07:48 -07:00
image : nirmata/kyverno:v1.2.1
2020-06-05 13:51:22 -07:00
imagePullPolicy : Always
livenessProbe :
failureThreshold : 4
httpGet :
path : /health/liveness
2020-10-22 13:07:48 -07:00
port : 9443
2020-06-05 13:51:22 -07:00
scheme : HTTPS
initialDelaySeconds : 5
periodSeconds : 10
successThreshold : 1
timeoutSeconds : 5
name : kyverno
ports :
2020-10-22 00:41:25 -07:00
- containerPort : 9443
2020-10-22 11:26:22 -07:00
name : https
protocol : TCP
2020-06-05 13:51:22 -07:00
readinessProbe :
failureThreshold : 4
httpGet :
path : /health/readiness
2020-10-22 13:07:48 -07:00
port : 9443
2020-06-05 13:51:22 -07:00
scheme : HTTPS
initialDelaySeconds : 5
periodSeconds : 10
successThreshold : 1
timeoutSeconds : 5
resources :
limits :
memory : 128Mi
requests :
cpu : 100m
memory : 50Mi
2020-10-22 00:41:25 -07:00
securityContext :
allowPrivilegeEscalation : false
capabilities :
drop :
2020-10-22 11:26:22 -07:00
- all
privileged : false
readOnlyRootFilesystem : true
runAsNonRoot : true
runAsUser : 1000
2020-06-05 13:51:22 -07:00
initContainers :
2020-10-22 13:07:48 -07:00
- image : nirmata/kyvernopre:v1.2.1
2020-08-05 23:26:31 -07:00
imagePullPolicy : Always
2020-06-05 13:51:22 -07:00
name : kyverno-pre
2020-10-22 00:41:25 -07:00
securityContext :
allowPrivilegeEscalation : false
capabilities :
drop :
2020-10-22 11:26:22 -07:00
- all
privileged : false
readOnlyRootFilesystem : true
runAsNonRoot : true
runAsUser : 1000
securityContext :
runAsNonRoot : true
2020-06-05 13:51:22 -07:00
serviceAccountName : kyverno-service-account
