2022-11-08 14:12:35 +05:30
---
apiVersion : apiextensions.k8s.io/v1
kind : CustomResourceDefinition
metadata :
annotations :
2023-06-29 21:28:18 +05:30
controller-gen.kubebuilder.io/version : v0.12.0
2022-11-08 14:12:35 +05:30
name : cleanuppolicies.kyverno.io
spec :
group : kyverno.io
names :
2022-11-25 15:29:45 +05:30
categories :
- kyverno
2022-11-08 14:12:35 +05:30
kind : CleanupPolicy
listKind : CleanupPolicyList
plural : cleanuppolicies
2022-11-25 15:29:45 +05:30
shortNames :
- cleanpol
2022-11-08 14:12:35 +05:30
singular : cleanuppolicy
scope : Namespaced
versions :
- additionalPrinterColumns :
- jsonPath : .spec.schedule
name : Schedule
type : string
- jsonPath : .metadata.creationTimestamp
name : Age
type : date
2022-12-08 12:45:47 +01:00
name : v2alpha1
2022-11-08 14:12:35 +05:30
schema :
openAPIV3Schema :
description : CleanupPolicy defines a rule for resource cleanup.
properties :
apiVersion :
description : 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type : string
kind :
description : 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info : https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type : string
metadata :
type : object
spec :
description : Spec declares policy behaviors.
properties :
conditions :
2023-01-04 17:03:56 +08:00
description : Conditions defines the conditions used to select the
resources which will be cleaned up.
2022-11-08 14:12:35 +05:30
properties :
all :
description : AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
2023-01-04 17:03:56 +08:00
notation. Here, all of the conditions need to pass.
2022-11-08 14:12:35 +05:30
items :
properties :
key :
description : Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields : true
2023-05-08 22:51:52 +08:00
message :
description : Message is an optional display message
type : string
2022-11-08 14:12:35 +05:30
operator :
description : 'Operator is the conditional operation to perform.
Valid operators are : Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum :
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type : string
value :
description : Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields : true
type : object
type : array
any :
description : AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
2023-01-04 17:03:56 +08:00
notation. Here, at least one of the conditions need to pass.
2022-11-08 14:12:35 +05:30
items :
properties :
key :
description : Key is the context entry (using JMESPath) for
conditional rule evaluation.
x-kubernetes-preserve-unknown-fields : true
2023-05-08 22:51:52 +08:00
message :
description : Message is an optional display message
type : string
2022-11-08 14:12:35 +05:30
operator :
description : 'Operator is the conditional operation to perform.
Valid operators are : Equals, NotEquals, In, AnyIn, AllIn,
NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
enum :
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type : string
value :
description : Value is the conditional value, or set of values.
The values can be fixed set or can be variables declared
using JMESPath.
x-kubernetes-preserve-unknown-fields : true
type : object
type : array
type : object
2023-04-20 12:36:13 +05:30
context :
description : Context defines variables and data sources that can be
used during rule execution.
items :
description : ContextEntry adds variables and data sources to a rule
Context. Either a ConfigMap reference or a APILookup must be provided.
properties :
apiCall :
description : APICall is an HTTP request to the Kubernetes API
server, or other JSON web service. The data returned is stored
in the context with the name for the context entry.
properties :
2023-04-26 16:31:44 -07:00
data :
description : Data specifies the POST data sent to the server.
items :
description : RequestData contains the HTTP POST data
properties :
key :
description : Key is a unique identifier for the data
value
type : string
value :
description : Value is the data value
x-kubernetes-preserve-unknown-fields : true
required :
- key
- value
type : object
type : array
2023-04-20 12:36:13 +05:30
jmesPath :
description : JMESPath is an optional JSON Match Expression
that can be used to transform the JSON response returned
from the server. For example a JMESPath of "items | length(@)"
applied to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all
namespaces.
type : string
2023-04-26 16:31:44 -07:00
method :
default : GET
description : Method is the HTTP request type (GET or POST).
enum :
- GET
- POST
type : string
2023-04-20 12:36:13 +05:30
service :
description : Service is an API call to a JSON web service
properties :
caBundle :
description : CABundle is a PEM encoded CA bundle which
will be used to validate the server certificate.
type : string
2023-04-26 16:31:44 -07:00
url :
description : URL is the JSON web service URL. A typical
form is `https://{service}.{namespace}:{port}/{path}`.
2023-04-20 12:36:13 +05:30
type : string
required :
2023-04-26 16:31:44 -07:00
- url
2023-04-20 12:36:13 +05:30
type : object
urlPath :
description : URLPath is the URL path to be used in the HTTP
2023-04-26 16:31:44 -07:00
GET or POST request to the Kubernetes API server (e.g.
"/api/v1/namespaces" or "/apis/apps/v1/deployments").
The format required is the same format used by the `kubectl
get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
2023-04-20 12:36:13 +05:30
type : string
type : object
configMap :
description : ConfigMap is the ConfigMap reference.
properties :
name :
description : Name is the ConfigMap name.
type : string
namespace :
description : Namespace is the ConfigMap namespace.
type : string
required :
- name
type : object
imageRegistry :
description : ImageRegistry defines requests to an OCI/Docker
V2 registry to fetch image details.
properties :
2023-06-16 19:07:08 +05:30
imageRegistryCredentials :
description : ImageRegistryCredentials provides credentials
that will be used for authentication with registry
properties :
allowInsecureRegistry :
description : AllowInsecureRegistry allows insecure access
to a registry
type : boolean
2023-06-17 01:55:46 +05:30
providers :
description : 'Providers specifies a list of OCI Registry
names, whose authentication providers are provided
It can be of one of these values : AWS, ACR, GCP, GHCR'
2023-06-16 19:07:08 +05:30
items :
2023-06-17 01:55:46 +05:30
description : ImageRegistryCredentialsProvidersType
provides the list of credential providers required.
2023-06-16 19:07:08 +05:30
enum :
- default
- amazon
- azure
- google
- github
type : string
type : array
secrets :
description : Secrets specifies a list of secrets that
are provided for credentials Secrets must live in
the Kyverno namespace
items :
type : string
type : array
type : object
2023-04-20 12:36:13 +05:30
jmesPath :
description : JMESPath is an optional JSON Match Expression
that can be used to transform the ImageData struct returned
as a result of processing the image reference.
type : string
reference :
description : 'Reference is image reference to a container
image in the registry. Example : ghcr.io/kyverno/kyverno:latest'
type : string
required :
- reference
type : object
name :
description : Name is the variable name.
type : string
variable :
description : Variable defines an arbitrary JMESPath context
variable that can be defined inline.
properties :
default :
description : Default is an optional arbitrary JSON object
that the variable may take if the JMESPath expression
evaluates to nil
x-kubernetes-preserve-unknown-fields : true
jmesPath :
description : JMESPath is an optional JMESPath Expression
that can be used to transform the variable.
type : string
value :
description : Value is any arbitrary JSON object representable
in YAML or JSON form.
x-kubernetes-preserve-unknown-fields : true
type : object
type : object
type : array
2022-11-08 14:12:35 +05:30
exclude :
description : ExcludeResources defines when cleanuppolicy should not
be applied. The exclude criteria can include resource information
(e.g. kind, name, namespace, labels) and admission review request
information like the name or role.
properties :
all :
description : All allows specifying resources which will be ANDed
items :
description : ResourceFilter allow users to "AND" or "OR" between
resources
properties :
clusterRoles :
description : ClusterRoles is the list of cluster-wide role
names for the user.
items :
type : string
type : array
resources :
description : ResourceDescription contains information about
the resource being created or modified.
properties :
annotations :
additionalProperties :
type : string
description : Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type : object
kinds :
description : Kinds is a list of resource kinds.
items :
type : string
type : array
name :
description : 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE : "Name" is being deprecated in favor of "Names".'
type : string
names :
description : Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items :
type : string
type : array
namespaceSelector :
description : 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
namespaces :
description : Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items :
type : string
type : array
2023-03-29 06:22:21 +02:00
operations :
description : Operations can contain values ["CREATE,
"UPDATE" , "CONNECT" , "DELETE" ] , which are used to
match a specific action.
items :
description : AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum :
- CREATE
- CONNECT
- UPDATE
- DELETE
type : string
type : array
2022-11-08 14:12:35 +05:30
selector :
description : 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
type : object
roles :
description : Roles is the list of namespaced role names
for the user.
items :
type : string
type : array
subjects :
description : Subjects is the list of subject names like
users, user groups, and service accounts.
items :
description : Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties :
apiGroup :
description : APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type : string
kind :
description : Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount" . If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type : string
name :
description : Name of the object being referenced.
type : string
namespace :
description : Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type : string
required :
- kind
- name
type : object
x-kubernetes-map-type : atomic
type : array
type : object
type : array
any :
description : Any allows specifying resources which will be ORed
items :
description : ResourceFilter allow users to "AND" or "OR" between
resources
properties :
clusterRoles :
description : ClusterRoles is the list of cluster-wide role
names for the user.
items :
type : string
type : array
resources :
description : ResourceDescription contains information about
the resource being created or modified.
properties :
annotations :
additionalProperties :
type : string
description : Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type : object
kinds :
description : Kinds is a list of resource kinds.
items :
type : string
type : array
name :
description : 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE : "Name" is being deprecated in favor of "Names".'
type : string
names :
description : Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items :
type : string
type : array
namespaceSelector :
description : 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
namespaces :
description : Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items :
type : string
type : array
2023-03-29 06:22:21 +02:00
operations :
description : Operations can contain values ["CREATE,
"UPDATE" , "CONNECT" , "DELETE" ] , which are used to
match a specific action.
items :
description : AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum :
- CREATE
- CONNECT
- UPDATE
- DELETE
type : string
type : array
2022-11-08 14:12:35 +05:30
selector :
description : 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
type : object
roles :
description : Roles is the list of namespaced role names
for the user.
items :
type : string
type : array
subjects :
description : Subjects is the list of subject names like
users, user groups, and service accounts.
items :
description : Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties :
apiGroup :
description : APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type : string
kind :
description : Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount" . If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type : string
name :
description : Name of the object being referenced.
type : string
namespace :
description : Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type : string
required :
- kind
- name
type : object
x-kubernetes-map-type : atomic
type : array
type : object
type : array
type : object
match :
description : MatchResources defines when cleanuppolicy should be applied.
The match criteria can include resource information (e.g. kind,
name, namespace, labels) and admission review request information
like the user name or role. At least one kind is required.
properties :
all :
description : All allows specifying resources which will be ANDed
items :
description : ResourceFilter allow users to "AND" or "OR" between
resources
properties :
clusterRoles :
description : ClusterRoles is the list of cluster-wide role
names for the user.
items :
type : string
type : array
resources :
description : ResourceDescription contains information about
the resource being created or modified.
properties :
annotations :
additionalProperties :
type : string
description : Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type : object
kinds :
description : Kinds is a list of resource kinds.
items :
type : string
type : array
name :
description : 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE : "Name" is being deprecated in favor of "Names".'
type : string
names :
description : Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items :
type : string
type : array
namespaceSelector :
description : 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
namespaces :
description : Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items :
type : string
type : array
2023-03-29 06:22:21 +02:00
operations :
description : Operations can contain values ["CREATE,
"UPDATE" , "CONNECT" , "DELETE" ] , which are used to
match a specific action.
items :
description : AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum :
- CREATE
- CONNECT
- UPDATE
- DELETE
type : string
type : array
2022-11-08 14:12:35 +05:30
selector :
description : 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
type : object
roles :
description : Roles is the list of namespaced role names
for the user.
items :
type : string
type : array
subjects :
description : Subjects is the list of subject names like
users, user groups, and service accounts.
items :
description : Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties :
apiGroup :
description : APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type : string
kind :
description : Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount" . If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type : string
name :
description : Name of the object being referenced.
type : string
namespace :
description : Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type : string
required :
- kind
- name
type : object
x-kubernetes-map-type : atomic
type : array
type : object
type : array
any :
description : Any allows specifying resources which will be ORed
items :
description : ResourceFilter allow users to "AND" or "OR" between
resources
properties :
clusterRoles :
description : ClusterRoles is the list of cluster-wide role
names for the user.
items :
type : string
type : array
resources :
description : ResourceDescription contains information about
the resource being created or modified.
properties :
annotations :
additionalProperties :
type : string
description : Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type : object
kinds :
description : Kinds is a list of resource kinds.
items :
type : string
type : array
name :
description : 'Name is the name of the resource. The
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
NOTE : "Name" is being deprecated in favor of "Names".'
type : string
names :
description : Names are the names of the resources. Each
name supports wildcard characters "*" (matches zero
or many characters) and "?" (at least one character).
items :
type : string
type : array
namespaceSelector :
description : 'NamespaceSelector is a label selector
for the resource namespace. Label keys and values
in `matchLabels` support the wildcard characters `*`
(matches zero or many characters) and `?` (matches
one character).Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
namespaces :
description : Namespaces is a list of namespaces names.
Each name supports wildcard characters "*" (matches
zero or many characters) and "?" (at least one character).
items :
type : string
type : array
2023-03-29 06:22:21 +02:00
operations :
description : Operations can contain values ["CREATE,
"UPDATE" , "CONNECT" , "DELETE" ] , which are used to
match a specific action.
items :
description : AdmissionOperation can have one of the
values CREATE, UPDATE, CONNECT, DELETE, which are
used to match a specific action.
enum :
- CREATE
- CONNECT
- UPDATE
- DELETE
type : string
type : array
2022-11-08 14:12:35 +05:30
selector :
description : 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*" ] matches any key and value but does not match
an empty label set.'
properties :
matchExpressions :
description : matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items :
description : A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties :
key :
description : key is the label key that the
selector applies to.
type : string
operator :
description : operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type : string
values :
description : values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items :
type : string
type : array
required :
- key
- operator
type : object
type : array
matchLabels :
additionalProperties :
type : string
description : matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type : object
type : object
x-kubernetes-map-type : atomic
type : object
roles :
description : Roles is the list of namespaced role names
for the user.
items :
type : string
type : array
subjects :
description : Subjects is the list of subject names like
users, user groups, and service accounts.
items :
description : Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties :
apiGroup :
description : APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type : string
kind :
description : Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount" . If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type : string
name :
description : Name of the object being referenced.
type : string
namespace :
description : Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type : string
required :
- kind
- name
type : object
x-kubernetes-map-type : atomic
type : array
type : object
type : array
type : object
schedule :
description : The schedule in Cron format
type : string
required :
- schedule
type : object
status :
description : Status contains policy runtime data.
properties :
conditions :
items :
description : "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are : \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties :
lastTransitionTime :
description : lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format : date-time
type : string
message :
description : message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength : 32768
type : string
observedGeneration :
description : observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format : int64
minimum : 0
type : integer
reason :
description : reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength : 1024
minLength : 1
pattern : ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type : string
status :
description : status of the condition, one of True, False, Unknown.
enum :
- "True"
- "False"
- Unknown
type : string
type :
description : type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength : 316
pattern : ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type : string
required :
- lastTransitionTime
- message
- reason
- status
- type
type : object
type : array
type : object
required :
- spec
type : object
served : true
storage : true
subresources :
status : {}
