mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

update types.go to generate schema

Browse source
This commit is contained in:
Shuting Zhao 2020-11-12 19:48:39 -08:00
parent 5c38aab03d
commit 047b2b8739
16 changed files with 4402 additions and 240 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
Makefile
View file

@ -183,11 +183,14 @@ release:
kustomize build ./definitions > ./definitions/install.yaml
kustomize build ./definitions > ./definitions/release/install.yaml
report-crd: controller-gen
$(CONTROLLER_GEN) crd:trivialVersions=true paths=./pkg/api/policyreport/v1alpha1 output:dir=./definitions/crds
$(CONTROLLER_GEN) object paths=./pkg/api/policyreport/v1alpha1
$(CONTROLLER_GEN) crd:trivialVersions=true paths=./pkg/api/kyverno/v1alpha1 output:dir=./definitions/crds
kyverno-crd: controller-gen
$(CONTROLLER_GEN) crd paths=./pkg/api/kyverno/v1alpha1 output:dir=./definitions/crds
$(CONTROLLER_GEN) object paths=./pkg/api/kyverno/v1alpha1
$(CONTROLLER_GEN) crd paths=./pkg/api/kyverno/v1 output:dir=./definitions/crds
report-crd: controller-gen
$(CONTROLLER_GEN) crd paths=./pkg/api/policyreport/v1alpha1 output:dir=./definitions/crds
$(CONTROLLER_GEN) object paths=./pkg/api/policyreport/v1alpha1
# find or download controller-gen
# download controller-gen if necessary

1200
charts/kyverno/crds/crds.yaml
View file

File diff suppressed because it is too large Load diff

9
definitions/crds/kustomization.yaml
View file

@ -3,7 +3,10 @@ kind: Kustomization
resources:
- ./crds.yaml
- ./wgpolicyk8s.io_clusterpolicyreports.yaml
- ./wgpolicyk8s.io_policyreports.yaml
- ./kyverno.io_clusterpolicies.yaml
- ./kyverno.io_clusterreportchangerequests.yaml
- ./kyverno.io_generaterequests.yaml
- ./kyverno.io_policies.yaml
- ./kyverno.io_reportchangerequests.yaml
- ./kyverno.io_clusterreportchangerequests.yaml
- ./wgpolicyk8s.io_clusterpolicyreports.yaml
- ./wgpolicyk8s.io_policyreports.yaml

518
definitions/crds/kyverno.io_clusterpolicies.yaml Normal file
View file

@ -0,0 +1,518 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
names:
kind: ClusterPolicy
listKind: ClusterPolicyList
plural: clusterpolicies
shortNames:
- cpol
singular: clusterpolicy
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.background
name: Background
type: string
- jsonPath: .spec.validationFailureAction
name: Validatoin Failure Action
type: string
name: v1
schema:
openAPIV3Schema:
description: ClusterPolicy ...
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec is the information to identify the policy
properties:
background:
default: true
description: Background controls if rules are applied to existing
resources during a background scan. Default value is "true".
type: boolean
rules:
description: Rules contains the list of rules to be applied to resources.
items:
description: Rule contains a mutation, validation, or generation
action for the single resource description.
properties:
context:
description: Defines variables that can be used during rule
execution.
items:
properties:
configMap:
properties:
name:
type: string
namespace:
type: string
type: object
name:
type: string
type: object
type: array
exclude:
description: Selects resources for which the policy rule should
not be applied.
properties:
clusterRoles:
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is excluded.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
roles:
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
generate:
description: Generates new resources.
properties:
apiVersion:
description: Specifies resource apiVersion.
type: string
clone:
description: To clone resource from other resource.
properties:
name:
description: Specifies name of the resource.
type: string
namespace:
description: Specifies resource namespace.
type: string
type: object
data:
description: Data specifies the resource manifest to be
generated.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Specifies resource kind.
type: string
name:
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace.
type: string
synchronize:
description: To keep resources synchronized with source
resource.
type: boolean
type: object
match:
description: Selects resources for which the policy rule should
be applied. If it's defined, "kinds" inside MatchResources
block is required.
properties:
clusterRoles:
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is applied.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
type: object
roles:
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
can either hold a direct API object reference, or a
value for non-objects such as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects.
Defaults to "rbac.authorization.k8s.io" for User
and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values
defined by this API group are "User", "Group", and
"ServiceAccount". If the Authorizer does not recognized
the kind value, the Authorizer should report an
error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If
the object kind is non-namespace, such as "User"
or "Group", and this value is not empty the Authorizer
should report an error.
type: string
required:
- kind
- name
type: object
type: array
type: object
mutate:
description: Modifies matching resources.
properties:
overlay:
description: Specifies overlay patterns. Overlay is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
x-kubernetes-preserve-unknown-fields: true
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patches:
description: Specifies JSON Patch. Patches is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
items:
description: Patch declares patch operation for created
object according to RFC 6902.
properties:
op:
description: Specifies operations supported by JSON
Patch. i.e:- add, replace and delete.
type: string
path:
description: Specifies path of the resource.
type: string
value:
description: Specifies the value to be applied.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
patchesJson6902:
type: string
type: object
name:
description: A unique label for the rule.
type: string
preconditions:
description: Allows condition-based control of the policy rule
execution.
items:
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value.
type: string
value:
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
validate:
description: Checks matching resources.
properties:
anyPattern:
description: Specifies list of validation patterns.
x-kubernetes-preserve-unknown-fields: true
deny:
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation.
items:
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value.
type: string
value:
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
message:
description: Specifies message to be displayed on validation
policy violation.
type: string
pattern:
description: Specifies validation pattern.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: array
validationFailureAction:
default: audit
description: ValidationFailureAction controls if a policy failure
should not disallow an admission review request (enforce), or allow
(audit) and report an error. Default value is "audit".
type: string
type: object
status:
description: Status contains statistics related to policy
properties:
averageExecutionTime:
description: Average time required to process the policy rules on
a resource.
type: string
resourcesBlockedCount:
description: Count of resources that were blocked for failing a validate,
across all rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated,
across all rules.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated, across
all rules.
type: integer
ruleStatus:
items:
description: RuleStats provides status per rule.
properties:
appliedCount:
description: Count of rules that were applied.
type: integer
averageExecutionTime:
description: Average time require to process the rule.
type: string
failedCount:
description: Count of rules that failed.
type: integer
resourcesBlockedCount:
description: Count of resources for whom update/create api requests
were blocked as the resource did not satisfy the policy rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated.
type: integer
ruleName:
description: Rule name.
type: string
violationCount:
description: Number of violations created by this rule.
type: integer
required:
- ruleName
type: object
type: array
rulesAppliedCount:
description: Count of rules that were applied.
type: integer
rulesFailedCount:
description: Count of rules that failed.
type: integer
violationCount:
description: Number of violations created by this policy.
type: integer
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

4
definitions/crds/kyverno.io_clusterreportchangerequests.yaml
View file

@ -13,8 +13,10 @@ spec:
kind: ClusterReportChangeRequest
listKind: ClusterReportChangeRequestList
plural: clusterreportchangerequests
shortNames:
- cpol
singular: clusterreportchangerequest
scope: Namespaced
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind

18
definitions/crds/kyverno.io_generaterequests.yaml
View file

@ -98,16 +98,16 @@ spec:
request
properties:
apiVersion:
description: Specifies resource apiVersionm
description: Specifies resource apiVersion.
type: string
kind:
description: Specifies resource kind
description: Specifies resource kind.
type: string
name:
description: Specifies resource name
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace
description: Specifies resource namespace.
type: string
type: object
required:
@ -122,19 +122,19 @@ spec:
description: This will track the resources that are generated by the
generate Policy Will be used during clean up resources
items:
description: ResourceSpec information to identify the resource
description: ResourceSpec information to identify the resource.
properties:
apiVersion:
description: Specifies resource apiVersionm
description: Specifies resource apiVersion.
type: string
kind:
description: Specifies resource kind
description: Specifies resource kind.
type: string
name:
description: Specifies resource name
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace
description: Specifies resource namespace.
type: string
type: object
type: array

162
definitions/crds/kyverno.io_policies.yaml
View file

@ -13,13 +13,22 @@ spec:
kind: Policy
listKind: PolicyList
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- jsonPath: .spec.background
name: Background
type: string
- jsonPath: .spec.validationFailureAction
name: Validatoin Failure Action
type: string
name: v1
schema:
openAPIV3Schema:
description: Policy contains rules to be applied to created resources
description: Policy contains rules to be applied to created resources.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -34,17 +43,18 @@ spec:
metadata:
type: object
spec:
description: Spec is the information to identify the policy
description: Spec is the information to identify the policy.
properties:
background:
default: true
description: Background controls if rules are applied to existing
resources during a background scan. Default value is "true".
type: boolean
rules:
description: Rules contains the list of rules to be applied to resources
description: Rules contains the list of rules to be applied to resources.
items:
description: Rule contains a mutation, validation, or generation
action for the single resource description
action for the single resource description.
properties:
context:
description: Defines variables that can be used during rule
@ -67,33 +77,33 @@ spec:
not be applied.
properties:
clusterRoles:
description: Specifies list of cluster wide role names
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is excluded
description: Specifies resources to which rule is excluded.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
@ -140,13 +150,13 @@ spec:
type: object
type: object
roles:
description: Specifies list of namespaced role names
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
@ -185,33 +195,34 @@ spec:
description: Generates new resources.
properties:
apiVersion:
description: Specifies resource apiVersionm
description: Specifies resource apiVersion.
type: string
clone:
description: To clone resource from other resource
description: To clone resource from other resource.
properties:
name:
description: Specifies name of the resource
description: Specifies name of the resource.
type: string
namespace:
description: Specifies resource namespace
description: Specifies resource namespace.
type: string
type: object
data:
description: Data ...
description: Data specifies the resource manifest to be
generated.
x-kubernetes-preserve-unknown-fields: true
kind:
description: Specifies resource kind
description: Specifies resource kind.
type: string
name:
description: Specifies resource name
description: Specifies resource name.
type: string
namespace:
description: Specifies resource namespace
description: Specifies resource namespace.
type: string
synchronize:
description: To keep resources synchronized with source
resource
resource.
type: boolean
type: object
match:
@ -220,33 +231,33 @@ spec:
block is required.
properties:
clusterRoles:
description: Specifies list of cluster wide role names
description: Specifies list of cluster wide role names.
items:
type: string
type: array
resources:
description: Specifies resources to which rule is applied
description: Specifies resources to which rule is applied.
properties:
annotations:
additionalProperties:
type: string
description: Specifies map of annotations
description: Specifies map of annotations.
type: object
kinds:
description: Specifies list of resource kind
description: Specifies list of resource kind.
items:
type: string
type: array
name:
description: Specifies name of the resource
description: Specifies name of the resource.
type: string
namespaces:
description: Specifies list of namespaces
description: Specifies list of namespaces.
items:
type: string
type: array
selector:
description: Specifies the set of selectors
description: Specifies the set of selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label
@ -293,13 +304,13 @@ spec:
type: object
type: object
roles:
description: Specifies list of namespaced role names
description: Specifies list of namespaced role names.
items:
type: string
type: array
subjects:
description: Specifies list of subject names like users,
user groups, and service accounts
user groups, and service accounts.
items:
description: Subject contains a reference to the object
or user identities a role binding applies to. This
@ -338,29 +349,29 @@ spec:
description: Modifies matching resources.
properties:
overlay:
description: Specifies overlay patterns Overlay is preserved
description: Specifies overlay patterns. Overlay is preserved
for backwards compatibility and will be removed in Kyverno
1.5+
1.5+.
x-kubernetes-preserve-unknown-fields: true
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patches:
description: Specifies JSON Patch Patches is preserved for
backwards compatibility and will be removed in Kyverno
1.5+
description: Specifies JSON Patch. Patches is preserved
for backwards compatibility and will be removed in Kyverno
1.5+.
items:
description: Patch declares patch operation for created
object according to RFC 6902
object according to RFC 6902.
properties:
op:
description: Specifies operations supported by JSON
Patch. i.e:- add, replace and delete
Patch. i.e:- add, replace and delete.
type: string
path:
description: Specifies path of the resource
description: Specifies path of the resource.
type: string
value:
description: Specifies the value to be applied
description: Specifies the value to be applied.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@ -368,22 +379,22 @@ spec:
type: string
type: object
name:
description: A unique label for the rule
description: A unique label for the rule.
type: string
preconditions:
description: Allows condition-based control of the policy rule
execution.
items:
description: Condition defines the evaluation condition
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value
description: Operator to compare against value.
type: string
value:
description: Value to be compared
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
@ -391,37 +402,34 @@ spec:
description: Checks matching resources.
properties:
anyPattern:
description: Specifies list of validation patterns
items: {}
nullable: true
type: array
description: Specifies list of validation patterns.
x-kubernetes-preserve-unknown-fields: true
deny:
description: Specifies conditions to deny validation
description: Specifies conditions to deny validation.
properties:
conditions:
description: Specifies set of condition to deny validation
description: Specifies set of condition to deny validation.
items:
description: Condition defines the evaluation condition
description: Condition defines the evaluation condition.
properties:
key:
description: Key contains key to compare
description: Key contains key to compare.
x-kubernetes-preserve-unknown-fields: true
operator:
description: Operator to compare against value
description: Operator to compare against value.
type: string
value:
description: Value to be compared
description: Value to be compared.
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
message:
description: Specifies message to be displayed on validation
policy violation
policy violation.
type: string
pattern:
description: Specifies validation pattern
description: Specifies validation pattern.
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
@ -434,65 +442,65 @@ spec:
type: string
type: object
status:
description: Status contains statistics related to policy
description: Status contains statistics related to policy.
properties:
averageExecutionTime:
description: average time required to process the policy rules on
a resource
description: Average time required to process the policy rules on
a resource.
type: string
resourcesBlockedCount:
description: Count of resources that were blocked for failing a validate,
across all rules
across all rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated,
across all rules
across all rules.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated, across
all rules
all rules.
type: integer
ruleStatus:
items:
description: RuleStats provides status per rule
description: RuleStats provides status per rule.
properties:
appliedCount:
description: Count of rules that were applied
description: Count of rules that were applied.
type: integer
averageExecutionTime:
description: average time require to process the rule
description: Average time require to process the rule.
type: string
failedCount:
description: Count of rules that failed
description: Count of rules that failed.
type: integer
resourcesBlockedCount:
description: Count of resources for whom update/create api requests
were blocked as the resource did not satisfy the policy rules
were blocked as the resource did not satisfy the policy rules.
type: integer
resourcesGeneratedCount:
description: Count of resources that were successfully generated
description: Count of resources that were successfully generated.
type: integer
resourcesMutatedCount:
description: Count of resources that were successfully mutated
description: Count of resources that were successfully mutated.
type: integer
ruleName:
description: Rule name
description: Rule name.
type: string
violationCount:
description: number of violations created by this rule
description: Number of violations created by this rule.
type: integer
required:
- ruleName
type: object
type: array
rulesAppliedCount:
description: Count of rules that were applied
description: Count of rules that were applied.
type: integer
rulesFailedCount:
description: Count of rules that failed
description: Count of rules that failed.
type: integer
violationCount:
description: number of violations created by this policy
description: Number of violations created by this policy.
type: integer
type: object
required:
@ -500,6 +508,8 @@ spec:
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""

2
definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml
View file

@ -16,7 +16,7 @@ spec:
shortNames:
- cpolr
singular: clusterpolicyreport
scope: Namespaced
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind

1200
definitions/install.yaml
View file

File diff suppressed because it is too large Load diff

1200
definitions/install_debug.yaml
View file

File diff suppressed because it is too large Load diff

20
pkg/api/kyverno/v1/clusterpolicy_types.go
View file

@ -4,16 +4,26 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// ClusterPolicy ...
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ClusterPolicy ...
type ClusterPolicy Policy
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol
// +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Validatoin Failure Action",type="string",JSONPath=".spec.validationFailureAction"
type ClusterPolicy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
// Spec is the information to identify the policy
Spec Spec `json:"spec" yaml:"spec"`
// Status contains statistics related to policy
Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}
// ClusterPolicyList ...
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
type ClusterPolicyList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`

245
pkg/api/kyverno/v1/policy_types.go
View file

@ -2,6 +2,7 @@ package v1
import (
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -13,37 +14,48 @@ type PolicyList struct {
Items []Policy `json:"items" yaml:"items"`
}
// Policy contains rules to be applied to created resources
// Policy contains rules to be applied to created resources.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background"
// +kubebuilder:printcolumn:name="Validatoin Failure Action",type="string",JSONPath=".spec.validationFailureAction"
// +kubebuilder:resource:shortName=pol
type Policy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
// Spec is the information to identify the policy
// Spec is the information to identify the policy.
Spec Spec `json:"spec" yaml:"spec"`
// Status contains statistics related to policy
// Status contains statistics related to policy.
// +optional
Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}
// Spec describes policy behavior by its rules
// Spec describes policy behavior by its rules.
type Spec struct {
// Rules contains the list of rules to be applied to resources
// Rules contains the list of rules to be applied to resources.
Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
// ValidationFailureAction controls if a policy failure should not disallow
// an admission review request (enforce), or allow (audit) and report an error.
// Default value is "audit".
// +kubebuilder:default=audit
// +optional
ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// Background controls if rules are applied to existing resources during a background scan.
// Default value is "true".
// +kubebuilder:default=true
// +optional
Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
}
// Rule contains a mutation, validation, or generation action
// for the single resource description
// for the single resource description.
type Rule struct {
// A unique label for the rule
// A unique label for the rule.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Defines variables that can be used during rule execution.
@ -86,21 +98,22 @@ type ConfigMapReference struct {
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}
//Condition defines the evaluation condition
// Condition defines the evaluation condition.
type Condition struct {
// Key contains key to compare
// Key contains key to compare.
// +kubebuilder:validation:XPreserveUnknownFields
Key interface{} `json:"key,omitempty" yaml:"key,omitempty"`
Key apiextensions.JSON `json:"key,omitempty" yaml:"key,omitempty"`
// Operator to compare against value
// Operator to compare against value.
Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
// Value to be compared
// Value to be compared.
// +kubebuilder:validation:XPreserveUnknownFields
Value interface{} `json:"value,omitempty" yaml:"value,omitempty"`
// +optional
Value apiextensions.JSON `json:"value,omitempty" yaml:"value,omitempty"`
}
// ConditionOperator defines the type for condition operator
// ConditionOperator defines the type for condition operator.
type ConditionOperator string
const (
@ -112,62 +125,82 @@ const (
NotIn ConditionOperator = "NotIn"
)
//MatchResources contains resource description of the resources that the rule is to apply on
// MatchResources contains resource description of the resources that the rule is to apply on.
type MatchResources struct {
// Specifies user information
// Specifies user information.
// +optional
UserInfo `json:",omitempty" yaml:",omitempty"`
// Specifies resources to which rule is applied
// Specifies resources to which rule is applied.
// +optional
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}
//ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule
// ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule.
type ExcludeResources struct {
// Specifies user information
// Specifies user information.
// +optional
UserInfo `json:",omitempty" yaml:",omitempty"`
// Specifies resources to which rule is excluded
// Specifies resources to which rule is excluded.
// +optional
ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
}
// UserInfo filter based on users
// UserInfo filter based on users.
type UserInfo struct {
// Specifies list of namespaced role names
// Specifies list of namespaced role names.
// +optional
Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
// Specifies list of cluster wide role names
// Specifies list of cluster wide role names.
// +optional
ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
// Specifies list of subject names like users, user groups, and service accounts
// Specifies list of subject names like users, user groups, and service accounts.
// +optional
Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"`
}
// ResourceDescription describes the resource to which the PolicyRule will be applied.
type ResourceDescription struct {
// Specifies list of resource kind
// Specifies list of resource kind.
// +optional
Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"`
// Specifies name of the resource
// Specifies name of the resource.
// +optional
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Specifies list of namespaces
// Specifies list of namespaces.
// +optional
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
// Specifies map of annotations
// Specifies map of annotations.
// +optional
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
// Specifies the set of selectors
// Specifies the set of selectors.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
}
// Mutation describes the way how Mutating Webhook will react on resource creation
// Mutation describes the way how Mutating Webhook will react on resource creation.
type Mutation struct {
// Specifies overlay patterns
// Overlay is preserved for backwards compatibility and will be removed in Kyverno 1.5+
// Specifies overlay patterns.
// Overlay is preserved for backwards compatibility and will be removed in Kyverno 1.5+.
// +kubebuilder:validation:XPreserveUnknownFields
// +optional
Overlay interface{} `json:"overlay,omitempty"`
Overlay apiextensions.JSON `json:"overlay,omitempty"`
// Specifies JSON Patch
// Patches is preserved for backwards compatibility and will be removed in Kyverno 1.5+
// Specifies JSON Patch.
// Patches is preserved for backwards compatibility and will be removed in Kyverno 1.5+.
// +optional
Patches []Patch `json:"patches,omitempty" yaml:"patches,omitempty"`
// +kubebuilder:validation:XPreserveUnknownFields
// +optional
PatchStrategicMerge interface{} `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`
PatchStrategicMerge apiextensions.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`
// +optional
PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"`
@ -175,133 +208,169 @@ type Mutation struct {
// +k8s:deepcopy-gen=false
// Patch declares patch operation for created object according to RFC 6902
// Patch declares patch operation for created object according to RFC 6902.
type Patch struct {
// Specifies path of the resource
// Specifies path of the resource.
Path string `json:"path,omitempty" yaml:"path,omitempty"`
// Specifies operations supported by JSON Patch.
// i.e:- add, replace and delete
// i.e:- add, replace and delete.
Operation string `json:"op,omitempty" yaml:"op,omitempty"`
// Specifies the value to be applied
// Specifies the value to be applied.
// +kubebuilder:validation:XPreserveUnknownFields
Value interface{} `json:"value,omitempty" yaml:"value,omitempty"`
// +optional
Value apiextensions.JSON `json:"value,omitempty" yaml:"value,omitempty"`
}
// Validation describes the way how Validating Webhook will check the resource on creation
// Validation describes the way how Validating Webhook will check the resource on creation.
type Validation struct {
// Specifies message to be displayed on validation policy violation
// Specifies message to be displayed on validation policy violation.
// +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"`
// Specifies validation pattern
// Specifies validation pattern.
// +kubebuilder:validation:XPreserveUnknownFields
// +optional
Pattern interface{} `json:"pattern,omitempty" yaml:"pattern,omitempty"`
Pattern apiextensions.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`
// Specifies list of validation patterns
// Specifies list of validation patterns.
// +kubebuilder:validation:XPreserveUnknownFields
// +kubebuilder:validation:Optional
// +kubebuilder:validation:nullable
// +nullable
AnyPattern []interface{} `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
// +optional
AnyPattern apiextensions.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
// Specifies conditions to deny validation
// Specifies conditions to deny validation.
// +optional
Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"`
}
type Deny struct {
// Specifies set of condition to deny validation
// Specifies set of condition to deny validation.
Conditions []Condition `json:"conditions,omitempty" yaml:"conditions,omitempty"`
}
// Generation describes which resources will be created when other resource is created
// Generation describes which resources will be created when other resource is created.
type Generation struct {
ResourceSpec `json:",omitempty" yaml:",omitempty"`
// To keep resources synchronized with source resource
// To keep resources synchronized with source resource.
// +optional
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
// Data ...
// Data specifies the resource manifest to be generated.
// +kubebuilder:pruning:PreserveUnknownFields
Data interface{} `json:"data,omitempty" yaml:"data,omitempty"`
// +optional
Data apiextensions.JSON `json:"data,omitempty" yaml:"data,omitempty"`
// To clone resource from other resource
// To clone resource from other resource.
// +optional
Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"`
}
// CloneFrom - location of the resource
// which will be used as source when applying 'generate'
// CloneFrom - location of the resource,
// which will be used as source when applying 'generate'.
type CloneFrom struct {
// Specifies resource namespace
// Specifies resource namespace.
// +optional
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
// Specifies name of the resource
// Specifies name of the resource.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
}
// PolicyStatus mostly contains statistics related to policy
// PolicyStatus mostly contains statistics related to policy.
type PolicyStatus struct {
// average time required to process the policy rules on a resource
// Average time required to process the policy rules on a resource.
// +optional
AvgExecutionTime string `json:"averageExecutionTime,omitempty" yaml:"averageExecutionTime,omitempty"`
// number of violations created by this policy
// Number of violations created by this policy.
// +optional
ViolationCount int `json:"violationCount,omitempty" yaml:"violationCount,omitempty"`
// Count of rules that failed
// Count of rules that failed.
// +optional
RulesFailedCount int `json:"rulesFailedCount,omitempty" yaml:"rulesFailedCount,omitempty"`
// Count of rules that were applied
// Count of rules that were applied.
// +optional
RulesAppliedCount int `json:"rulesAppliedCount,omitempty" yaml:"rulesAppliedCount,omitempty"`
// Count of resources that were blocked for failing a validate, across all rules
// Count of resources that were blocked for failing a validate, across all rules.
// +optional
ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty" yaml:"resourcesBlockedCount,omitempty"`
// Count of resources that were successfully mutated, across all rules
// Count of resources that were successfully mutated, across all rules.
// +optional
ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty" yaml:"resourcesMutatedCount,omitempty"`
// Count of resources that were successfully generated, across all rules
// Count of resources that were successfully generated, across all rules.
// +optional
ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty" yaml:"resourcesGeneratedCount,omitempty"`
// +optional
Rules []RuleStats `json:"ruleStatus,omitempty" yaml:"ruleStatus,omitempty"`
}
//RuleStats provides status per rule
// RuleStats provides status per rule.
type RuleStats struct {
// Rule name
// Rule name.
Name string `json:"ruleName" yaml:"ruleName"`
// average time require to process the rule
// Average time require to process the rule.
// +optional
ExecutionTime string `json:"averageExecutionTime,omitempty" yaml:"averageExecutionTime,omitempty"`
// number of violations created by this rule
// Number of violations created by this rule.
// +optional
ViolationCount int `json:"violationCount,omitempty" yaml:"violationCount,omitempty"`
// Count of rules that failed
// Count of rules that failed.
// +optional
FailedCount int `json:"failedCount,omitempty" yaml:"failedCount,omitempty"`
// Count of rules that were applied
// Count of rules that were applied.
// +optional
AppliedCount int `json:"appliedCount,omitempty" yaml:"appliedCount,omitempty"`
// Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules
// Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules.
// +optional
ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty" yaml:"resourcesBlockedCount,omitempty"`
// Count of resources that were successfully mutated
// Count of resources that were successfully mutated.
// +optional
ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty" yaml:"resourcesMutatedCount,omitempty"`
// Count of resources that were successfully generated
// Count of resources that were successfully generated.
// +optional
ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty" yaml:"resourcesGeneratedCount,omitempty"`
}
// ResourceSpec information to identify the resource
// ResourceSpec information to identify the resource.
type ResourceSpec struct {
// Specifies resource apiVersionm
// Specifies resource apiVersion.
// +optional
APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"`
// Specifies resource kind
// +optional
// Specifies resource kind.
Kind string `json:"kind,omitempty" yaml:"kind,omitempty"`
// Specifies resource namespace
// Specifies resource namespace.
// +optional
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
// Specifies resource name
// Specifies resource name.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
}
// ViolatedRule stores the information regarding the rule
// ViolatedRule stores the information regarding the rule.
type ViolatedRule struct {
// Specifies violated rule name
// Specifies violated rule name.
Name string `json:"name" yaml:"name"`
// Specifies violated rule type
// Specifies violated rule type.
Type string `json:"type" yaml:"type"`
// Specifies violation message
// Specifies violation message.
// +optional
Message string `json:"message" yaml:"message"`
// +optional
Check string `json:"check" yaml:"check"`
}

1
pkg/api/kyverno/v1alpha1/clusterreportchangerequest_types.go
View file

@ -29,6 +29,7 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +genclient:nonNamespaced
// +kubebuilder:object:root=true
// +kubebuilder:resource:path=clusterreportchangerequests,scope="Cluster",shortName=cpol
// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`

24
pkg/api/kyverno/v1alpha1/zz_generated.deepcopy.go
View file

@ -1,28 +1,12 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
// Code generated by controller-gen. DO NOT EDIT.
package v1alpha1
import (
policyreportv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
v1 "k8s.io/api/core/v1"
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -54,7 +38,6 @@ func (in *ClusterReportChangeRequest) DeepCopyInto(out *ClusterReportChangeReque
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportChangeRequest.
@ -87,7 +70,6 @@ func (in *ClusterReportChangeRequestList) DeepCopyInto(out *ClusterReportChangeR
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportChangeRequestList.
@ -135,7 +117,6 @@ func (in *ReportChangeRequest) DeepCopyInto(out *ReportChangeRequest) {
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportChangeRequest.
@ -168,7 +149,6 @@ func (in *ReportChangeRequestList) DeepCopyInto(out *ReportChangeRequestList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportChangeRequestList.

2
pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go
View file

@ -28,6 +28,7 @@ import (
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +genclient:nonNamespaced
// +kubebuilder:object:root=true
// +kubebuilder:resource:path=clusterpolicyreports,scope="Cluster",shortName=cpolr
// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
@ -36,7 +37,6 @@ import (
// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:resource:shortName=cpolr
// ClusterPolicyReport is the Schema for the clusterpolicyreports API
type ClusterPolicyReport struct {

26
pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go
View file

@ -1,27 +1,11 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
// Code generated by controller-gen. DO NOT EDIT.
package v1alpha1
import (
v1 "k8s.io/api/core/v1"
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -53,7 +37,6 @@ func (in *ClusterPolicyReport) DeepCopyInto(out *ClusterPolicyReport) {
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReport.
@ -86,7 +69,6 @@ func (in *ClusterPolicyReportList) DeepCopyInto(out *ClusterPolicyReportList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReportList.
@ -134,7 +116,6 @@ func (in *PolicyReport) DeepCopyInto(out *PolicyReport) {
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReport.
@ -167,7 +148,6 @@ func (in *PolicyReportList) DeepCopyInto(out *PolicyReportList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportList.
@ -214,7 +194,6 @@ func (in *PolicyReportResult) DeepCopyInto(out *PolicyReportResult) {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportResult.
@ -230,7 +209,6 @@ func (in *PolicyReportResult) DeepCopy() *PolicyReportResult {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyReportSummary) DeepCopyInto(out *PolicyReportSummary) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportSummary.