2024-01-26 19:10:29 +05:30
|
|
|
---
|
|
|
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
|
|
|
kind: CustomResourceDefinition
|
|
|
|
|
metadata:
|
|
|
|
|
annotations:
|
2024-08-03 00:19:35 +02:00
|
|
|
controller-gen.kubebuilder.io/version: (devel)
|
2024-01-29 10:45:52 +01:00
|
|
|
name: ephemeralreports.reports.kyverno.io
|
2024-01-26 19:10:29 +05:30
|
|
|
spec:
|
|
|
|
|
group: reports.kyverno.io
|
|
|
|
|
names:
|
|
|
|
|
categories:
|
|
|
|
|
- kyverno
|
2024-01-29 10:45:52 +01:00
|
|
|
kind: EphemeralReport
|
|
|
|
|
listKind: EphemeralReportList
|
|
|
|
|
plural: ephemeralreports
|
2024-01-26 19:10:29 +05:30
|
|
|
shortNames:
|
2024-01-29 10:45:52 +01:00
|
|
|
- ephr
|
|
|
|
|
singular: ephemeralreport
|
2024-01-26 19:10:29 +05:30
|
|
|
scope: Namespaced
|
|
|
|
|
versions:
|
|
|
|
|
- additionalPrinterColumns:
|
2024-01-30 15:53:37 +01:00
|
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/source']
|
|
|
|
|
name: Source
|
|
|
|
|
type: string
|
|
|
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
|
|
|
|
|
name: Group
|
|
|
|
|
type: string
|
|
|
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
|
|
|
|
|
name: Kind
|
|
|
|
|
type: string
|
|
|
|
|
- jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
|
|
|
|
|
name: Owner
|
|
|
|
|
type: string
|
2024-01-26 19:10:29 +05:30
|
|
|
- jsonPath: .spec.summary.pass
|
2024-01-30 15:53:37 +01:00
|
|
|
name: Pass
|
2024-01-26 19:10:29 +05:30
|
|
|
type: integer
|
|
|
|
|
- jsonPath: .spec.summary.fail
|
2024-01-30 15:53:37 +01:00
|
|
|
name: Fail
|
2024-01-26 19:10:29 +05:30
|
|
|
type: integer
|
|
|
|
|
- jsonPath: .spec.summary.warn
|
2024-01-30 15:53:37 +01:00
|
|
|
name: Warn
|
2024-01-26 19:10:29 +05:30
|
|
|
type: integer
|
|
|
|
|
- jsonPath: .spec.summary.error
|
2024-01-30 15:53:37 +01:00
|
|
|
name: Error
|
2024-01-26 19:10:29 +05:30
|
|
|
type: integer
|
|
|
|
|
- jsonPath: .spec.summary.skip
|
2024-01-30 15:53:37 +01:00
|
|
|
name: Skip
|
2024-01-26 19:10:29 +05:30
|
|
|
type: integer
|
2024-01-30 15:53:37 +01:00
|
|
|
- jsonPath: .metadata.creationTimestamp
|
|
|
|
|
name: Age
|
|
|
|
|
type: date
|
|
|
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
|
|
|
|
|
name: Uid
|
|
|
|
|
priority: 1
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
2024-01-30 15:53:37 +01:00
|
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
|
|
|
|
|
name: Hash
|
2024-01-26 19:10:29 +05:30
|
|
|
priority: 1
|
|
|
|
|
type: string
|
|
|
|
|
name: v1
|
|
|
|
|
schema:
|
|
|
|
|
openAPIV3Schema:
|
2024-01-29 10:45:52 +01:00
|
|
|
description: EphemeralReport is the Schema for the EphemeralReports API
|
2024-01-26 19:10:29 +05:30
|
|
|
properties:
|
|
|
|
|
apiVersion:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
APIVersion defines the versioned schema of this representation of an object.
|
|
|
|
|
Servers should convert recognized schemas to the latest internal value, and
|
|
|
|
|
may reject unrecognized values.
|
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
kind:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Kind is a string value representing the REST resource this object represents.
|
|
|
|
|
Servers may infer this from the endpoint the client submits requests to.
|
|
|
|
|
Cannot be updated.
|
|
|
|
|
In CamelCase.
|
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
metadata:
|
|
|
|
|
type: object
|
|
|
|
|
spec:
|
|
|
|
|
properties:
|
|
|
|
|
owner:
|
|
|
|
|
description: Owner is a reference to the report owner (e.g. a Deployment,
|
|
|
|
|
Namespace, or Node)
|
|
|
|
|
properties:
|
|
|
|
|
apiVersion:
|
|
|
|
|
description: API version of the referent.
|
|
|
|
|
type: string
|
|
|
|
|
blockOwnerDeletion:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
If true, AND if the owner has the "foregroundDeletion" finalizer, then
|
|
|
|
|
the owner cannot be deleted from the key-value store until this
|
|
|
|
|
reference is removed.
|
|
|
|
|
See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
|
|
|
|
|
for how the garbage collector interacts with this field and enforces the foreground deletion.
|
|
|
|
|
Defaults to false.
|
|
|
|
|
To set this field, a user needs "delete" permission of the owner,
|
|
|
|
|
otherwise 422 (Unprocessable Entity) will be returned.
|
2024-01-26 19:10:29 +05:30
|
|
|
type: boolean
|
|
|
|
|
controller:
|
|
|
|
|
description: If true, this reference points to the managing controller.
|
|
|
|
|
type: boolean
|
|
|
|
|
kind:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Kind of the referent.
|
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
name:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Name of the referent.
|
|
|
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
uid:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
UID of the referent.
|
|
|
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
required:
|
|
|
|
|
- apiVersion
|
|
|
|
|
- kind
|
|
|
|
|
- name
|
|
|
|
|
- uid
|
|
|
|
|
type: object
|
|
|
|
|
x-kubernetes-map-type: atomic
|
|
|
|
|
results:
|
|
|
|
|
description: PolicyReportResult provides result details
|
|
|
|
|
items:
|
|
|
|
|
description: PolicyReportResult provides the result for an individual
|
|
|
|
|
policy
|
|
|
|
|
properties:
|
|
|
|
|
category:
|
|
|
|
|
description: Category indicates policy category
|
|
|
|
|
type: string
|
|
|
|
|
message:
|
|
|
|
|
description: Description is a short user friendly message for
|
|
|
|
|
the policy rule
|
|
|
|
|
type: string
|
|
|
|
|
policy:
|
|
|
|
|
description: Policy is the name or identifier of the policy
|
|
|
|
|
type: string
|
|
|
|
|
properties:
|
|
|
|
|
additionalProperties:
|
|
|
|
|
type: string
|
|
|
|
|
description: Properties provides additional information for
|
|
|
|
|
the policy rule
|
|
|
|
|
type: object
|
|
|
|
|
resourceSelector:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
SubjectSelector is an optional label selector for checked Kubernetes resources.
|
|
|
|
|
For example, a policy result may apply to all pods that match a label.
|
|
|
|
|
Either a Subject or a SubjectSelector can be specified.
|
|
|
|
|
If neither are provided, the result is assumed to be for the policy report scope.
|
2024-01-26 19:10:29 +05:30
|
|
|
properties:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
description: matchExpressions is a list of label selector
|
|
|
|
|
requirements. The requirements are ANDed.
|
|
|
|
|
items:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
|
|
|
relates the key and values.
|
2024-01-26 19:10:29 +05:30
|
|
|
properties:
|
|
|
|
|
key:
|
|
|
|
|
description: key is the label key that the selector
|
|
|
|
|
applies to.
|
|
|
|
|
type: string
|
|
|
|
|
operator:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
operator represents a key's relationship to a set of values.
|
|
|
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
values:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
|
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
|
|
|
the values array must be empty. This array is replaced during a strategic
|
|
|
|
|
merge patch.
|
2024-01-26 19:10:29 +05:30
|
|
|
items:
|
|
|
|
|
type: string
|
|
|
|
|
type: array
|
2024-04-24 14:07:59 +08:00
|
|
|
x-kubernetes-list-type: atomic
|
2024-01-26 19:10:29 +05:30
|
|
|
required:
|
|
|
|
|
- key
|
|
|
|
|
- operator
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
2024-04-24 14:07:59 +08:00
|
|
|
x-kubernetes-list-type: atomic
|
2024-01-26 19:10:29 +05:30
|
|
|
matchLabels:
|
|
|
|
|
additionalProperties:
|
|
|
|
|
type: string
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
|
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
|
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
2024-01-26 19:10:29 +05:30
|
|
|
type: object
|
|
|
|
|
type: object
|
|
|
|
|
x-kubernetes-map-type: atomic
|
|
|
|
|
resources:
|
|
|
|
|
description: Subjects is an optional reference to the checked
|
|
|
|
|
Kubernetes resources
|
|
|
|
|
items:
|
2024-08-28 08:23:19 +02:00
|
|
|
description: ObjectReference contains enough information to
|
|
|
|
|
let you inspect or modify the referred object.
|
2024-01-26 19:10:29 +05:30
|
|
|
properties:
|
|
|
|
|
apiVersion:
|
|
|
|
|
description: API version of the referent.
|
|
|
|
|
type: string
|
|
|
|
|
fieldPath:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
If referring to a piece of an object instead of an entire object, this string
|
|
|
|
|
should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
|
|
|
For example, if the object reference is to a container within a pod, this would take on a value like:
|
|
|
|
|
"spec.containers{name}" (where "name" refers to the name of the container that triggered
|
|
|
|
|
the event) or if no container name is specified "spec.containers[2]" (container with
|
|
|
|
|
index 2 in this pod). This syntax is chosen only to have some well-defined way of
|
|
|
|
|
referencing a part of an object.
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
kind:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Kind of the referent.
|
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
name:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Name of the referent.
|
|
|
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
namespace:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Namespace of the referent.
|
|
|
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
resourceVersion:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Specific resourceVersion to which this reference is made, if any.
|
|
|
|
|
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
uid:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
UID of the referent.
|
|
|
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
|
2024-01-26 19:10:29 +05:30
|
|
|
type: string
|
|
|
|
|
type: object
|
|
|
|
|
x-kubernetes-map-type: atomic
|
|
|
|
|
type: array
|
|
|
|
|
result:
|
|
|
|
|
description: Result indicates the outcome of the policy rule
|
|
|
|
|
execution
|
|
|
|
|
enum:
|
|
|
|
|
- pass
|
|
|
|
|
- fail
|
|
|
|
|
- warn
|
|
|
|
|
- error
|
|
|
|
|
- skip
|
|
|
|
|
type: string
|
|
|
|
|
rule:
|
|
|
|
|
description: Rule is the name or identifier of the rule within
|
|
|
|
|
the policy
|
|
|
|
|
type: string
|
|
|
|
|
scored:
|
|
|
|
|
description: Scored indicates if this result is scored
|
|
|
|
|
type: boolean
|
|
|
|
|
severity:
|
|
|
|
|
description: Severity indicates policy check result criticality
|
|
|
|
|
enum:
|
|
|
|
|
- critical
|
|
|
|
|
- high
|
|
|
|
|
- low
|
|
|
|
|
- medium
|
|
|
|
|
- info
|
|
|
|
|
type: string
|
|
|
|
|
source:
|
|
|
|
|
description: Source is an identifier for the policy engine that
|
|
|
|
|
manages this report
|
|
|
|
|
type: string
|
|
|
|
|
timestamp:
|
|
|
|
|
description: Timestamp indicates the time the result was found
|
|
|
|
|
properties:
|
|
|
|
|
nanos:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Non-negative fractions of a second at nanosecond resolution. Negative
|
|
|
|
|
second values with fractions must still have non-negative nanos values
|
|
|
|
|
that count forward in time. Must be from 0 to 999,999,999
|
|
|
|
|
inclusive. This field may be limited in precision depending on context.
|
2024-01-26 19:10:29 +05:30
|
|
|
format: int32
|
|
|
|
|
type: integer
|
|
|
|
|
seconds:
|
2024-03-28 14:03:17 +05:30
|
|
|
description: |-
|
|
|
|
|
Represents seconds of UTC time since Unix epoch
|
|
|
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
|
|
|
|
|
9999-12-31T23:59:59Z inclusive.
|
2024-01-26 19:10:29 +05:30
|
|
|
format: int64
|
|
|
|
|
type: integer
|
|
|
|
|
required:
|
|
|
|
|
- nanos
|
|
|
|
|
- seconds
|
|
|
|
|
type: object
|
|
|
|
|
required:
|
|
|
|
|
- policy
|
|
|
|
|
type: object
|
|
|
|
|
type: array
|
|
|
|
|
summary:
|
|
|
|
|
description: PolicyReportSummary provides a summary of results
|
|
|
|
|
properties:
|
|
|
|
|
error:
|
|
|
|
|
description: Error provides the count of policies that could not
|
|
|
|
|
be evaluated
|
|
|
|
|
type: integer
|
|
|
|
|
fail:
|
|
|
|
|
description: Fail provides the count of policies whose requirements
|
|
|
|
|
were not met
|
|
|
|
|
type: integer
|
|
|
|
|
pass:
|
|
|
|
|
description: Pass provides the count of policies whose requirements
|
|
|
|
|
were met
|
|
|
|
|
type: integer
|
|
|
|
|
skip:
|
|
|
|
|
description: Skip indicates the count of policies that were not
|
|
|
|
|
selected for evaluation
|
|
|
|
|
type: integer
|
|
|
|
|
warn:
|
|
|
|
|
description: Warn provides the count of non-scored policies whose
|
|
|
|
|
requirements were not met
|
|
|
|
|
type: integer
|
|
|
|
|
type: object
|
|
|
|
|
required:
|
|
|
|
|
- owner
|
|
|
|
|
type: object
|
|
|
|
|
required:
|
|
|
|
|
- spec
|
|
|
|
|
type: object
|
|
|
|
|
served: true
|
|
|
|
|
storage: true
|
|
|
|
|
subresources: {}
|
