-
ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
- -| Field | -Description | -||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1
-
- |
-||||||||||||||||||||
-kind-string - |
-ClusterPolicy |
-||||||||||||||||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||||||||||||||||
-spec- - -Spec - - - |
-
- Spec declares policy behaviors. -- -
|
-||||||||||||||||||||
-status- - -PolicyStatus - - - |
-
-(Optional)
- Status contains policy runtime data. - |
-
-
GenerateRequest is a request to process generate rule.
- -| Field | -Description | -||||||
|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1
-
- |
-||||||
-kind-string - |
-GenerateRequest |
-||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec- - -GenerateRequestSpec - - - |
-
- Spec is the information to identify the generate request. -- -
|
-||||||
-status- - -GenerateRequestStatus - - - |
-
-(Optional)
- Status contains statistics related to generate request. - |
-
-
Policy declares validation, mutation, and generation behaviors for matching resources. -See: https://kyverno.io/docs/writing-policies/ for more information.
- -| Field | -Description | -||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1
-
- |
-||||||||||||||||||||
-kind-string - |
-Policy |
-||||||||||||||||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||||||||||||||||
-spec- - -Spec - - - |
-
- Spec defines policy behaviors and contains one or more rules. -- -
|
-||||||||||||||||||||
-status- - -PolicyStatus - - - |
-
-(Optional)
- Status contains policy runtime information. -Deprecated. Policy metrics are available via the metrics endpoint - |
-
-(Appears on: -ContextEntry) -
--
APICall defines an HTTP request to the Kubernetes API server. The JSON -data retrieved is stored in the context. An APICall contains a URLPath -used to perform the HTTP GET request and an optional JMESPath used to -transform the retrieved JSON data.
- -| Field | -Description | -
|---|---|
-urlPath- -string - - |
-
- URLPath is the URL path to be used in the HTTP GET request to the
-Kubernetes API server (e.g. “/api/v1/namespaces” or “/apis/apps/v1/deployments”).
-The format required is the same format used by the |
-
-jmesPath- -string - - |
-
-(Optional)
- JMESPath is an optional JSON Match Expression that can be used to -transform the JSON response returned from the API server. For example -a JMESPath of “items | length(@)” applied to the API server response -to the URLPath “/apis/apps/v1/deployments” will return the total count -of deployments across all namespaces. - |
-
-(Appears on: -GenerateRequestContext) -
--
AdmissionRequestInfoObject stores the admission request and operation details
- -| Field | -Description | -
|---|---|
-admissionRequest- -string - - |
--(Optional) - | -
-operation- - -Kubernetes admission/v1.Operation - - - |
--(Optional) - | -
-(Appears on: -Attestation, -ForEachMutation, -ForEachValidation) -
--
AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. -AnyConditions get fulfilled when at least one of its sub-conditions passes. -AllConditions get fulfilled only when all of its sub-conditions pass.
- -| Field | -Description | -
|---|---|
-any- - -[]Condition - - - |
-
-(Optional)
- AnyConditions enable variable-based conditional rule execution. This is useful for -finer control of when an rule is applied. A condition can reference object data -using JMESPath notation. -Here, at least one of the conditions need to pass - |
-
-all- - -[]Condition - - - |
-
-(Optional)
- AllConditions enable variable-based conditional rule execution. This is useful for -finer control of when an rule is applied. A condition can reference object data -using JMESPath notation. -Here, all of the conditions need to pass - |
-
string alias)-(Appears on: -Spec) -
--
ApplyRulesType controls whether processing stops after one rule is applied or all rules are applied.
- --(Appears on: -ImageVerification) -
--
Attestation are checks for signed in-toto Statements that are used to verify the image. -See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the -OCI registry and decodes them into a list of Statements.
- -| Field | -Description | -
|---|---|
-predicateType- -string - - |
-
- PredicateType defines the type of Predicate contained within the Statement. - |
-
-conditions- - -[]AnyAllConditions - - - |
-
-(Optional)
- Conditions are used to verify attributes within a Predicate. If no Conditions are specified -the attestation check is satisfied as long there are predicates that match the predicate type. - |
-
-(Appears on: -AttestorSet) -
--
-| Field | -Description | -
|---|---|
-keys- - -StaticKeyAttestor - - - |
-
- Keys specifies one or more public keys - |
-
-certificates- - -CertificateAttestor - - - |
-
- Certificates specifies one or more certificates - |
-
-keyless- - -KeylessAttestor - - - |
-
- Keyless is a set of attribute used to verify a Sigstore keyless attestor. -See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. - |
-
-attestor- - -Kubernetes apiextensions/v1.JSON - - - |
-
- Attestor is a nested AttestorSet used to specify a more complex set of match authorities - |
-
-annotations- -map[string]string - - |
-
- Annotations are used for image verification. -Every specified key-value pair must exist and match in the verified payload. -The payload may contain other key-value pairs. - |
-
-repository- -string - - |
-
- Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. -If specified Repository will override other OCI image repository locations for this Attestor. - |
-
-(Appears on: -ImageVerification, -Manifests) -
--
-| Field | -Description | -
|---|---|
-count- -int - - |
-
- Count specifies the required number of entries that must match. If the count is null, all entries must match -(a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a -value N, then N must be less than or equal to the size of entries, and at least N entries must match. - |
-
-entries- - -[]Attestor - - - |
-
- Entries contains the available attestors. An attestor can be a static key, -attributes for keyless verification, or a nested attestor declaration. - |
-
-(Appears on: -PolicyStatus) -
--
AutogenStatus contains autogen status information.
- -| Field | -Description | -
|---|---|
-rules- - -[]Rule - - - |
-
- Rules is a list of Rule instances. It contains auto generated rules added for pod controllers - |
-
-(Appears on: -CertificateAttestor, -KeylessAttestor, -StaticKeyAttestor) -
--
-| Field | -Description | -
|---|---|
-url- -string - - |
-
- URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev. - |
-
-(Appears on: -Attestor) -
--
-| Field | -Description | -
|---|---|
-cert- -string - - |
-
- Certificate is an optional PEM encoded public certificate. - |
-
-certChain- -string - - |
-
- CertificateChain is an optional PEM encoded set of certificates used to verify - |
-
-rekor- - -CTLog - - - |
-
- Rekor provides configuration for the Rekor transparency log service. If the value is nil, -Rekor is not checked. If an empty object is provided the public instance of -Rekor (https://rekor.sigstore.dev) is used. - |
-
-(Appears on: -Generation) -
--
CloneFrom provides the location of the source resource used to generate target resources. -The resource kind is derived from the match criteria.
- -| Field | -Description | -
|---|---|
-namespace- -string - - |
-
-(Optional)
- Namespace specifies source resource namespace. - |
-
-name- -string - - |
-
- Name specifies name of the resource. - |
-
-(Appears on: -AnyAllConditions) -
--
Condition defines variable-based conditional criteria for rule execution.
- -| Field | -Description | -
|---|---|
-key- - -Kubernetes apiextensions/v1.JSON - - - |
-
- Key is the context entry (using JMESPath) for conditional rule evaluation. - |
-
-operator- - -ConditionOperator - - - |
-
- Operator is the conditional operation to perform. Valid operators are: -Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, -GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, -DurationLessThanOrEquals, DurationLessThan - |
-
-value- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Value is the conditional value, or set of values. The values can be fixed set -or can be variables declared using JMESPath. - |
-
string alias)-(Appears on: -Condition) -
--
ConditionOperator is the operation performed on condition key and value.
- --(Appears on: -ContextEntry) -
--
ConfigMapReference refers to a ConfigMap
- -| Field | -Description | -
|---|---|
-name- -string - - |
-
- Name is the ConfigMap name. - |
-
-namespace- -string - - |
-
- Namespace is the ConfigMap namespace. - |
-
-(Appears on: -ForEachMutation, -ForEachValidation, -Rule) -
--
ContextEntry adds variables and data sources to a rule Context. Either a -ConfigMap reference or a APILookup must be provided.
- -| Field | -Description | -
|---|---|
-name- -string - - |
-
- Name is the variable name. - |
-
-configMap- - -ConfigMapReference - - - |
-
- ConfigMap is the ConfigMap reference. - |
-
-apiCall- - -APICall - - - |
-
- APICall defines an HTTP request to the Kubernetes API server. The JSON -data retrieved is stored in the context. - |
-
-imageRegistry- - -ImageRegistry - - - |
-
- ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image -details. - |
-
-variable- - -Variable - - - |
-
- Variable defines an arbitrary JMESPath context variable that can be defined inline. - |
-
-(Appears on: -ForEachValidation, -Validation) -
--
Deny specifies a list of conditions used to pass or fail a validation rule.
- -| Field | -Description | -
|---|---|
-conditions- - -Kubernetes apiextensions/v1.JSON - - - |
-
- Multiple conditions can be declared under an |
-
-(Appears on: -Manifests) -
--
DryRunOption is a configuration for dryrun. -If enable is set to “true”, manifest verification performs “dryrun & compare” -which provides robust matching against changes by defaults and other admission controllers. -Dryrun requires additional permissions. See config/dryrun/dryrun_rbac.yaml
- -| Field | -Description | -
|---|---|
-enable- -bool - - |
-- | -
-namespace- -string - - |
-- | -
string alias)-(Appears on: -Spec) -
--
FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
- --(Appears on: -Mutation) -
--
ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
- -| Field | -Description | -
|---|---|
-list- -string - - |
-
- List specifies a JMESPath expression that results in one or more elements -to which the validation logic is applied. - |
-
-context- - -[]ContextEntry - - - |
-
-(Optional)
- Context defines variables and data sources that can be used during rule execution. - |
-
-preconditions- - -AnyAllConditions - - - |
-
-(Optional)
- AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
-set of conditions. The declaration can contain nested |
-
-patchStrategicMerge- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- PatchStrategicMerge is a strategic merge patch used to modify resources. -See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ -and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - |
-
-patchesJson6902- -string - - |
-
-(Optional)
- PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. -See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - |
-
-(Appears on: -Validation) -
--
ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
- -| Field | -Description | -
|---|---|
-list- -string - - |
-
- List specifies a JMESPath expression that results in one or more elements -to which the validation logic is applied. - |
-
-elementScope- -bool - - |
-
-(Optional)
- ElementScope specifies whether to use the current list element as the scope for validation. Defaults to “true” if not specified. -When set to “false”, “request.object” is used as the validation scope within the foreach -block to allow referencing other elements in the subtree. - |
-
-context- - -[]ContextEntry - - - |
-
-(Optional)
- Context defines variables and data sources that can be used during rule execution. - |
-
-preconditions- - -AnyAllConditions - - - |
-
-(Optional)
- AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
-set of conditions. The declaration can contain nested |
-
-pattern- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Pattern specifies an overlay-style pattern used to check resources. - |
-
-anyPattern- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- AnyPattern specifies list of validation patterns. At least one of the patterns -must be satisfied for the validation rule to succeed. - |
-
-deny- - -Deny - - - |
-
-(Optional)
- Deny defines conditions used to pass or fail a validation rule. - |
-
-(Appears on: -GenerateRequestSpec) -
--
GenerateRequestContext stores the context to be shared.
- -| Field | -Description | -
|---|---|
-userInfo- - -RequestInfo - - - |
--(Optional) - | -
-admissionRequestInfo- - -AdmissionRequestInfoObject - - - |
--(Optional) - | -
-(Appears on: -GenerateRequest) -
--
GenerateRequestSpec stores the request specification.
- -| Field | -Description | -
|---|---|
-policy- -string - - |
-
- Specifies the name of the policy. - |
-
-resource- - -ResourceSpec - - - |
-
- ResourceSpec is the information to identify the generate request. - |
-
-context- - -GenerateRequestContext - - - |
-
- Context … - |
-
string alias)-(Appears on: -GenerateRequestStatus) -
--
GenerateRequestState defines the state of request.
- --(Appears on: -GenerateRequest) -
--
GenerateRequestStatus stores the status of generated request.
- -| Field | -Description | -
|---|---|
-state- - -GenerateRequestState - - - |
-
- State represents state of the generate request. - |
-
-message- -string - - |
-
-(Optional)
- Specifies request status message. - |
-
-generatedResources- - -[]ResourceSpec - - - |
-
- This will track the resources that are generated by the generate Policy. -Will be used during clean up resources. - |
-
-(Appears on: -Rule) -
--
Generation defines how new resources should be created and managed.
- -| Field | -Description | -
|---|---|
-ResourceSpec- - -ResourceSpec - - - |
-
- ResourceSpec contains information to select the resource. - |
-
-synchronize- -bool - - |
-
-(Optional)
- Synchronize controls if generated resources should be kept in-sync with their source resource. -If Synchronize is set to “true” changes to generated resources will be overwritten with resource -data from Data or the resource specified in the Clone declaration. -Optional. Defaults to “false” if not specified. - |
-
-data- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Data provides the resource declaration used to populate each generated resource. -At most one of Data or Clone must be specified. If neither are provided, the generated -resource will be created with default data only. - |
-
-clone- - -CloneFrom - - - |
-
-(Optional)
- Clone specifies the source resource used to populate each generated resource. -At most one of Data or Clone can be specified. If neither are provided, the generated -resource will be created with default data only. - |
-
-cloneList- - -CloneList - - - |
-
-(Optional)
- CloneList specifies the list of source resource used to populate each generated resource. - |
-
-
-| Field | -Description | -
|---|---|
-path- -string - - |
-
- Path is the path to the object containing the image field in a custom resource. -It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard ‘*’. -Wildcard keys are expanded in case of arrays or objects. - |
-
-value- -string - - |
-
-(Optional)
- Value is an optional name of the field within ‘path’ that points to the image URI. -This is useful when a custom ‘key’ is also defined. - |
-
-name- -string - - |
-
-(Optional)
- Name is the entry the image will be available under ‘images. |
-
-key- -string - - |
-
-(Optional)
- Key is an optional name of the field within ‘path’ that will be used to uniquely identify an image. -Note - this field MUST be unique. - |
-
map[string][]./api/kyverno/v1.ImageExtractorConfig alias)-(Appears on: -Rule) -
--
--(Appears on: -ContextEntry) -
--
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image -details.
- -| Field | -Description | -
|---|---|
-reference- -string - - |
-
- Reference is image reference to a container image in the registry. -Example: ghcr.io/kyverno/kyverno:latest - |
-
-jmesPath- -string - - |
-
-(Optional)
- JMESPath is an optional JSON Match Expression that can be used to -transform the ImageData struct returned as a result of processing -the image reference. - |
-
-(Appears on: -Rule) -
--
ImageVerification validates that images that match the specified pattern -are signed with the supplied public key. Once the image is verified it is -mutated to include the SHA digest retrieved during the registration.
- -| Field | -Description | -
|---|---|
-image- -string - - |
-
- Image is the image name consisting of the registry address, repository, image, and tag. -Wildcards (‘*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images. -Deprecated. Use ImageReferences instead. - |
-
-imageReferences- -[]string - - |
-
- ImageReferences is a list of matching image reference patterns. At least one pattern in the -list must match the image for the rule to apply. Each image reference consists of a registry -address (defaults to docker.io), repository, image, and tag (defaults to latest). -Wildcards (‘*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - |
-
-key- -string - - |
-
- Key is the PEM encoded public key that the image or attestation is signed with. -Deprecated. Use StaticKeyAttestor instead. - |
-
-roots- -string - - |
-
- Roots is the PEM encoded Root certificate chain used for keyless signing -Deprecated. Use KeylessAttestor instead. - |
-
-subject- -string - - |
-
- Subject is the identity used for keyless signing, for example an email address -Deprecated. Use KeylessAttestor instead. - |
-
-issuer- -string - - |
-
- Issuer is the certificate issuer used for keyless signing. -Deprecated. Use KeylessAttestor instead. - |
-
-additionalExtensions- -map[string]string - - |
-
- AdditionalExtensions are certificate-extensions used for keyless signing. -Deprecated. - |
-
-attestors- - -[]AttestorSet - - - |
-
- Attestors specified the required attestors (i.e. authorities) - |
-
-attestations- - -[]Attestation - - - |
-
- Attestations are optional checks for signed in-toto Statements used to verify the image. -See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the -OCI registry and decodes them into a list of Statement declarations. - |
-
-annotations- -map[string]string - - |
-
- Annotations are used for image verification. -Every specified key-value pair must exist and match in the verified payload. -The payload may contain other key-value pairs. -Deprecated. Use annotations per Attestor instead. - |
-
-repository- -string - - |
-
- Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. -If specified Repository will override the default OCI image repository configured for the installation. -The repository can also be overridden per Attestor or Attestation. - |
-
-mutateDigest- -bool - - |
-
- MutateDigest enables replacement of image tags with digests. -Defaults to true. - |
-
-verifyDigest- -bool - - |
-
- VerifyDigest validates that images have a digest. - |
-
-required- -bool - - |
-
- Required validates that images are verified i.e. have matched passed a signature or attestation check. - |
-
-(Appears on: -Attestor) -
--
-| Field | -Description | -
|---|---|
-rekor- - -CTLog - - - |
-
- Rekor provides configuration for the Rekor transparency log service. If the value is nil, -Rekor is not checked and a root certificate chain is expected instead. If an empty object -is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. - |
-
-issuer- -string - - |
-
- Issuer is the certificate issuer used for keyless signing. - |
-
-subject- -string - - |
-
- Subject is the verified identity used for keyless signing, for example the email address - |
-
-roots- -string - - |
-
- Roots is an optional set of PEM encoded trusted root certificates. -If not provided, the system roots are used. - |
-
-additionalExtensions- -map[string]string - - |
-
- AdditionalExtensions are certificate-extensions used for keyless signing. - |
-
-(Appears on: -Validation) -
--
-| Field | -Description | -
|---|---|
-attestors- - -[]AttestorSet - - - |
-
- Attestors specified the required attestors (i.e. authorities) - |
-
-annotationDomain- -string - - |
-
-(Optional)
- AnnotationDomain is custom domain of annotation for message and signature. Default is “cosign.sigstore.dev”. - |
-
-ignoreFields- - -IgnoreFieldList - - - |
-
-(Optional)
- Fields which will be ignored while comparing manifests. - |
-
-dryRun- - -DryRunOption - - - |
-
-(Optional)
- DryRun configuration - |
-
-repository- -string - - |
-
- Repository is an optional alternate OCI repository to use for resource bundle reference. -The repository can be overridden per Attestor or Attestation. - |
-
-(Appears on: -Rule) -
--
MatchResources is used to specify resource and admission review request data for -which a policy rule is applicable.
- -| Field | -Description | -
|---|---|
-any- - -ResourceFilters - - - |
-
-(Optional)
- Any allows specifying resources which will be ORed - |
-
-all- - -ResourceFilters - - - |
-
-(Optional)
- All allows specifying resources which will be ANDed - |
-
-UserInfo- - -UserInfo - - - |
-
-(Optional)
- UserInfo contains information about the user performing the operation. -Specifying UserInfo directly under match is being deprecated. -Please specify under “any” or “all” instead. - |
-
-resources- - -ResourceDescription - - - |
-
-(Optional)
- ResourceDescription contains information about the resource being created or modified. -Requires at least one tag to be specified when under MatchResources. -Specifying ResourceDescription directly under match is being deprecated. -Please specify under “any” or “all” instead. - |
-
-(Appears on: -Rule) -
--
Mutation defines how resource are modified.
- -| Field | -Description | -
|---|---|
-targets- - -[]ResourceSpec - - - |
-
-(Optional)
- Targets defines the target resources to be mutated. - |
-
-patchStrategicMerge- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- PatchStrategicMerge is a strategic merge patch used to modify resources. -See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ -and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. - |
-
-patchesJson6902- -string - - |
-
-(Optional)
- PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. -See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. - |
-
-foreach- - -[]ForEachMutation - - - |
-
-(Optional)
- ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. - |
-
-
-| Field | -Description | -
|---|---|
-fields- -[]string - - |
-- | -
-objects- -github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest.ObjectReferenceList - - |
-- | -
-(Appears on: -Validation) -
--
PodSecurity applies exemptions for Kubernetes Pod Security admission -by specifying exclusions for Pod Security Standards controls.
- -| Field | -Description | -
|---|---|
-level- -k8s.io/pod-security-admission/api.Level - - |
-
- Level defines the Pod Security Standard level to be applied to workloads. -Allowed values are privileged, baseline, and restricted. - |
-
-version- -string - - |
-
-(Optional)
- Version defines the Pod Security Standard versions that Kubernetes supports. -Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest. - |
-
-exclude- - -[]PodSecurityStandard - - - |
-
- Exclude specifies the Pod Security Standard controls to be excluded. - |
-
-(Appears on: -PodSecurity) -
--
PodSecurityStandard specifies the Pod Security Standard controls to be excluded.
- -| Field | -Description | -
|---|---|
-controlName- -string - - |
-
- ControlName specifies the name of the Pod Security Standard control. -See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ - |
-
-images- -[]string - - |
-
-(Optional)
- Images selects matching containers and applies the container level PSS. -Each image is the image name consisting of the registry address, repository, image, and tag. -Empty list matches no containers, PSS checks are applied at the pod level only. -Wildcards (‘*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - |
-
-
PolicyInterface abstracts the concrete policy type (Policy vs ClusterPolicy)
- --(Appears on: -ClusterPolicy, -Policy) -
--
PolicyStatus mostly contains runtime information related to policy execution. -Deprecated. Policy metrics are now available via the “/metrics” endpoint. -See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/
- -| Field | -Description | -
|---|---|
-ready- -bool - - |
-
- Ready indicates if the policy is ready to serve the admission request. -Deprecated in favor of Conditions - |
-
-conditions- - -[]Kubernetes meta/v1.Condition - - - |
-
-(Optional)
- Conditions is a list of conditions that apply to the policy - |
-
-autogen- - -AutogenStatus - - - |
-
-(Optional)
- Autogen contains autogen status information - |
-
-(Appears on: -GenerateRequestContext) -
--
RequestInfo contains permission info carried in an admission request.
- -| Field | -Description | -
|---|---|
-roles- -[]string - - |
-
-(Optional)
- Roles is a list of possible role send the request. - |
-
-clusterRoles- -[]string - - |
-
-(Optional)
- ClusterRoles is a list of possible clusterRoles send the request. - |
-
-userInfo- - -Kubernetes authentication/v1.UserInfo - - - |
-
-(Optional)
- UserInfo is the userInfo carried in the admission request. - |
-
-(Appears on: -MatchResources, -ResourceFilter) -
--
ResourceDescription contains criteria used to match resources.
- -| Field | -Description | -
|---|---|
-kinds- -[]string - - |
-
-(Optional)
- Kinds is a list of resource kinds. - |
-
-name- -string - - |
-
-(Optional)
- Name is the name of the resource. The name supports wildcard characters -“*” (matches zero or many characters) and “?” (at least one character). -NOTE: “Name” is being deprecated in favor of “Names”. - |
-
-names- -[]string - - |
-
-(Optional)
- Names are the names of the resources. Each name supports wildcard characters -“*” (matches zero or many characters) and “?” (at least one character). - |
-
-namespaces- -[]string - - |
-
-(Optional)
- Namespaces is a list of namespaces names. Each name supports wildcard characters -“*” (matches zero or many characters) and “?” (at least one character). - |
-
-annotations- -map[string]string - - |
-
-(Optional)
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys -and values support the wildcard characters “*” (matches zero or many characters) and -“?” (matches at least one character). - |
-
-selector- - -Kubernetes meta/v1.LabelSelector - - - |
-
-(Optional)
- Selector is a label selector. Label keys and values in |
-
-namespaceSelector- - -Kubernetes meta/v1.LabelSelector - - - |
-
-(Optional)
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
-in |
-
-
ResourceFilter allow users to “AND” or “OR” between resources
- -| Field | -Description | -
|---|---|
-UserInfo- - -UserInfo - - - |
-
-(Optional)
- UserInfo contains information about the user performing the operation. - |
-
-resources- - -ResourceDescription - - - |
-
- ResourceDescription contains information about the resource being created or modified. - |
-
[]./api/kyverno/v1.ResourceFilter alias)-(Appears on: -MatchResources) -
--
ResourceFilters is a slice of ResourceFilter
- --(Appears on: -GenerateRequestSpec, -GenerateRequestStatus, -Generation, -Mutation) -
--
-| Field | -Description | -
|---|---|
-apiVersion- -string - - |
-
-(Optional)
- APIVersion specifies resource apiVersion. - |
-
-kind- -string - - |
-
- Kind specifies resource kind. - |
-
-namespace- -string - - |
-
-(Optional)
- Namespace specifies resource namespace. - |
-
-name- -string - - |
-
-(Optional)
- Name specifies the resource name. - |
-
-(Appears on: -AutogenStatus, -Spec) -
--
Rule defines a validation, mutation, or generation control for matching resources. -Each rules contains a match declaration to select resources, and an optional exclude -declaration to specify which resources to exclude.
- -| Field | -Description | -
|---|---|
-name- -string - - |
-
- Name is a label to identify the rule, It must be unique within the policy. - |
-
-context- - -[]ContextEntry - - - |
-
-(Optional)
- Context defines variables and data sources that can be used during rule execution. - |
-
-match- - -MatchResources - - - |
-
- MatchResources defines when this policy rule should be applied. The match -criteria can include resource information (e.g. kind, name, namespace, labels) -and admission review request information like the user name or role. -At least one kind is required. - |
-
-exclude- - -MatchResources - - - |
-
-(Optional)
- ExcludeResources defines when this policy rule should not be applied. The exclude -criteria can include resource information (e.g. kind, name, namespace, labels) -and admission review request information like the name or role. - |
-
-imageExtractors- - -ImageExtractorConfigs - - - |
-
-(Optional)
- ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. -This config is only valid for verifyImages rules. - |
-
-preconditions- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Preconditions are used to determine if a policy rule should be applied by evaluating a
-set of conditions. The declaration can contain nested |
-
-mutate- - -Mutation - - - |
-
-(Optional)
- Mutation is used to modify matching resources. - |
-
-validate- - -Validation - - - |
-
-(Optional)
- Validation is used to validate matching resources. - |
-
-generate- - -Generation - - - |
-
-(Optional)
- Generation is used to create new resources. - |
-
-verifyImages- - -[]ImageVerification - - - |
-
-(Optional)
- VerifyImages is used to verify image signatures and mutate them to add a digest - |
-
-(Appears on: -StaticKeyAttestor) -
--
-| Field | -Description | -
|---|---|
-name- -string - - |
-
- name of the secret - |
-
-namespace- -string - - |
-
- namespace name in which secret is created - |
-
-(Appears on: -ClusterPolicy, -Policy) -
--
Spec contains a list of Rule instances and other policy controls.
- -| Field | -Description | -
|---|---|
-rules- - -[]Rule - - - |
-
- Rules is a list of Rule instances. A Policy contains multiple rules and -each rule can validate, mutate, or generate resources. - |
-
-applyRules- - -ApplyRulesType - - - |
-
-(Optional)
- ApplyRules controls how rules in a policy are applied. Rule are processed in
-the order of declaration. When set to |
-
-failurePolicy- - -FailurePolicyType - - - |
-
-(Optional)
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail. - |
-
-validationFailureAction- - -ValidationFailureAction - - - |
-
-(Optional)
- ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”. - |
-
-validationFailureActionOverrides- - -[]ValidationFailureActionOverride - - - |
-
-(Optional)
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - |
-
-background- -bool - - |
-
-(Optional)
- Background controls if rules are applied to existing resources during a background scan. -Optional. Default value is “true”. The value must be set to “false” if the policy rule -uses variables that are only available in the admission review request (e.g. user name). - |
-
-schemaValidation- -bool - - |
-
-(Optional)
- SchemaValidation skips policy validation checks. -Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks. - |
-
-webhookTimeoutSeconds- -int32 - - |
-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - |
-
-mutateExistingOnPolicyUpdate- -bool - - |
-
-(Optional)
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. -Default value is “false”. - |
-
-generateExistingOnPolicyUpdate- -bool - - |
-
-(Optional)
- GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources -If is set to “true” generate rule will be triggered and applied to existing matched resources. -Defaults to “false” if not specified. - |
-
-(Appears on: -Attestor) -
--
-| Field | -Description | -
|---|---|
-publicKeys- -string - - |
-
- Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly -specified or can be a variable reference to a key specified in a ConfigMap (see -https://kyverno.io/docs/writing-policies/variables/). When multiple keys are specified each -key is processed as a separate staticKey entry (.attestors[*].entries.keys) within the set of -attestors and the count is applied across the keys. - |
-
-signatureAlgorithm- -string - - |
-
- Specify signature algorithm for public keys. Supported values are sha256 and sha512 - |
-
-kms- -string - - |
-
- KMS provides the URI to the public key stored in a Key Management System. See: -https://github.com/sigstore/cosign/blob/main/KMS.md - |
-
-secret- - -SecretReference - - - |
-
- Reference to a Secret resource that contains a public key - |
-
-rekor- - -CTLog - - - |
-
- Rekor provides configuration for the Rekor transparency log service. If the value is nil, -Rekor is not checked. If an empty object is provided the public instance of -Rekor (https://rekor.sigstore.dev) is used. - |
-
-(Appears on: -MatchResources, -ResourceFilter) -
--
UserInfo contains information about the user performing the operation.
- -| Field | -Description | -
|---|---|
-roles- -[]string - - |
-
-(Optional)
- Roles is the list of namespaced role names for the user. - |
-
-clusterRoles- -[]string - - |
-
-(Optional)
- ClusterRoles is the list of cluster-wide role names for the user. - |
-
-subjects- - -[]Kubernetes rbac/v1.Subject - - - |
-
-(Optional)
- Subjects is the list of subject names like users, user groups, and service accounts. - |
-
-(Appears on: -Rule) -
--
Validation defines checks to be performed on matching resources.
- -| Field | -Description | -
|---|---|
-message- -string - - |
-
-(Optional)
- Message specifies a custom message to be displayed on failure. - |
-
-manifests- - -Manifests - - - |
-
-(Optional)
- Manifest specifies conditions for manifest verification - |
-
-foreach- - -[]ForEachValidation - - - |
-
-(Optional)
- ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. - |
-
-pattern- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Pattern specifies an overlay-style pattern used to check resources. - |
-
-anyPattern- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- AnyPattern specifies list of validation patterns. At least one of the patterns -must be satisfied for the validation rule to succeed. - |
-
-deny- - -Deny - - - |
-
-(Optional)
- Deny defines conditions used to pass or fail a validation rule. - |
-
-podSecurity- - -PodSecurity - - - |
-
-(Optional)
- PodSecurity applies exemptions for Kubernetes Pod Security admission -by specifying exclusions for Pod Security Standards controls. - |
-
string alias)-(Appears on: -Spec, -ValidationFailureActionOverride) -
--
ValidationFailureAction defines the policy validation failure action
- --(Appears on: -Spec) -
--
-| Field | -Description | -
|---|---|
-action- - -ValidationFailureAction - - - |
-- | -
-namespaces- -[]string - - |
-- | -
-(Appears on: -ContextEntry) -
--
Variable defines an arbitrary JMESPath context variable that can be defined inline.
- -| Field | -Description | -
|---|---|
-value- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Value is any arbitrary JSON object representable in YAML or JSON form. - |
-
-jmesPath- -string - - |
-
-(Optional)
- JMESPath is an optional JMESPath Expression that can be used to -transform the variable. - |
-
-default- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Default is an optional arbitrary JSON object that the variable may take if the JMESPath -expression evaluates to nil - |
-
-
ViolatedRule stores the information regarding the rule.
- -| Field | -Description | -
|---|---|
-name- -string - - |
-
- Name specifies violated rule name. - |
-
-type- -string - - |
-
- Type specifies violated rule type. - |
-
-message- -string - - |
-
-(Optional)
- Message specifies violation message. - |
-
-status- -string - - |
-
- Status shows the rule response status - |
-
-
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group
- -Resource Types: - --
AdmissionReport is the Schema for the AdmissionReports API
- -| Field | -Description | -||||||
|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1alpha2
-
- |
-||||||
-kind-string - |
-AdmissionReport |
-||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec- - -AdmissionReportSpec - - - |
-
- - -
|
-
-
BackgroundScanReport is the Schema for the BackgroundScanReports API
- -| Field | -Description | -||||
|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1alpha2
-
- |
-||||
-kind-string - |
-BackgroundScanReport |
-||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||
-spec- - -BackgroundScanReportSpec - - - |
-
- - -
|
-
-
ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API
- -| Field | -Description | -||||||
|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1alpha2
-
- |
-||||||
-kind-string - |
-ClusterAdmissionReport |
-||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||
-spec- - -AdmissionReportSpec - - - |
-
- - -
|
-
-
ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports API
- -| Field | -Description | -||||
|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1alpha2
-
- |
-||||
-kind-string - |
-ClusterBackgroundScanReport |
-||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||
-spec- - -BackgroundScanReportSpec - - - |
-
- - -
|
-
-(Appears on: -AdmissionReport, -ClusterAdmissionReport) -
--
-| Field | -Description | -
|---|---|
-owner- - -Kubernetes meta/v1.OwnerReference - - - |
-
- Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node) - |
-
-summary- -github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportSummary - - |
-
-(Optional)
- PolicyReportSummary provides a summary of results - |
-
-results- -[]github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportResult - - |
-
-(Optional)
- PolicyReportResult provides result details - |
-
-(Appears on: -BackgroundScanReport, -ClusterBackgroundScanReport) -
--
-| Field | -Description | -
|---|---|
-summary- -github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportSummary - - |
-
-(Optional)
- PolicyReportSummary provides a summary of results - |
-
-results- -[]github.com/kyverno/kyverno/api/policyreport/v1alpha2.PolicyReportResult - - |
-
-(Optional)
- PolicyReportResult provides result details - |
-
-
ReportInterface abstracts the concrete report change request type
- --
Package v1beta1 contains API Schema definitions for the policy v1alpha1 API group
- -Resource Types: - --
UpdateRequest is a request to process mutate and generate rules in background.
- -| Field | -Description | -||||||||
|---|---|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v1beta1
-
- |
-||||||||
-kind-string - |
-UpdateRequest |
-||||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||||
-spec- - -UpdateRequestSpec - - - |
-
- Spec is the information to identify the update request. -- -
|
-||||||||
-status- - -UpdateRequestStatus - - - |
-
-(Optional)
- Status contains statistics related to update request. - |
-
-(Appears on: -UpdateRequestSpecContext) -
--
AdmissionRequestInfoObject stores the admission request and operation details
- -| Field | -Description | -
|---|---|
-admissionRequest- - -Kubernetes admission/v1.AdmissionRequest - - - |
--(Optional) - | -
-operation- - -Kubernetes admission/v1.Operation - - - |
--(Optional) - | -
-(Appears on: -UpdateRequestSpecContext) -
--
RequestInfo contains permission info carried in an admission request.
- -| Field | -Description | -
|---|---|
-roles- -[]string - - |
-
-(Optional)
- Roles is a list of possible role send the request. - |
-
-clusterRoles- -[]string - - |
-
-(Optional)
- ClusterRoles is a list of possible clusterRoles send the request. - |
-
-userInfo- - -Kubernetes authentication/v1.UserInfo - - - |
-
-(Optional)
- UserInfo is the userInfo carried in the admission request. - |
-
string alias)-(Appears on: -UpdateRequestSpec) -
--
--(Appears on: -UpdateRequest) -
--
UpdateRequestSpec stores the request specification.
- -| Field | -Description | -
|---|---|
-requestType- - -RequestType - - - |
-
- Type represents request type for background processing - |
-
-policy- -string - - |
-
- Specifies the name of the policy. - |
-
-resource- -github.com/kyverno/kyverno/api/kyverno/v1.ResourceSpec - - |
-
- ResourceSpec is the information to identify the update request. - |
-
-context- - -UpdateRequestSpecContext - - - |
-
- Context … - |
-
-(Appears on: -UpdateRequestSpec) -
--
UpdateRequestSpecContext stores the context to be shared.
- -| Field | -Description | -
|---|---|
-userInfo- - -RequestInfo - - - |
--(Optional) - | -
-admissionRequestInfo- - -AdmissionRequestInfoObject - - - |
--(Optional) - | -
string alias)-(Appears on: -UpdateRequestStatus) -
--
UpdateRequestState defines the state of request.
- --(Appears on: -UpdateRequest) -
--
UpdateRequestStatus defines the observed state of UpdateRequest
- -| Field | -Description | -
|---|---|
-handler- -string - - |
-
- Handler represents the instance ID that handles the UR - |
-
-state- - -UpdateRequestState - - - |
-
- State represents state of the update request. - |
-
-message- -string - - |
-
-(Optional)
- Specifies request status message. - |
-
-generatedResources- -[]github.com/kyverno/kyverno/api/kyverno/v1.ResourceSpec - - |
-
- This will track the resources that are updated by the generate Policy. -Will be used during clean up resources. - |
-
-
ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
- -| Field | -Description | -||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v2beta1
-
- |
-||||||||||||||||||||
-kind-string - |
-ClusterPolicy |
-||||||||||||||||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||||||||||||||||
-spec- - -Spec - - - |
-
- Spec declares policy behaviors. -- -
|
-||||||||||||||||||||
-status- -github.com/kyverno/kyverno/api/kyverno/v1.PolicyStatus - - |
-
-(Optional)
- Status contains policy runtime data. - |
-
-
Policy declares validation, mutation, and generation behaviors for matching resources. -See: https://kyverno.io/docs/writing-policies/ for more information.
- -| Field | -Description | -||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-apiVersion-string |
-
-
-kyverno.io/v2beta1
-
- |
-||||||||||||||||||||
-kind-string - |
-Policy |
-||||||||||||||||||||
-metadata- - -Kubernetes meta/v1.ObjectMeta - - - |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||||||||||||||||
-spec- - -Spec - - - |
-
- Spec defines policy behaviors and contains one or more rules. -- -
|
-||||||||||||||||||||
-status- -github.com/kyverno/kyverno/api/kyverno/v1.PolicyStatus - - |
-
-(Optional)
- Status contains policy runtime data. - |
-
-
-| Field | -Description | -
|---|---|
-any- - -[]Condition - - - |
-
-(Optional)
- AnyConditions enable variable-based conditional rule execution. This is useful for -finer control of when an rule is applied. A condition can reference object data -using JMESPath notation. -Here, at least one of the conditions need to pass - |
-
-all- - -[]Condition - - - |
-
-(Optional)
- AllConditions enable variable-based conditional rule execution. This is useful for -finer control of when an rule is applied. A condition can reference object data -using JMESPath notation. -Here, all of the conditions need to pass - |
-
-(Appears on: -AnyAllConditions) -
--
-| Field | -Description | -
|---|---|
-key- - -Kubernetes apiextensions/v1.JSON - - - |
-
- Key is the context entry (using JMESPath) for conditional rule evaluation. - |
-
-operator- - -ConditionOperator - - - |
-
- Operator is the conditional operation to perform. Valid operators are: -Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, -GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, -DurationLessThanOrEquals, DurationLessThan - |
-
-value- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Value is the conditional value, or set of values. The values can be fixed set -or can be variables declared using JMESPath. - |
-
string alias)-(Appears on: -Condition) -
--
ConditionOperator is the operation performed on condition key and value.
- --(Appears on: -Validation) -
--
Deny specifies a list of conditions used to pass or fail a validation rule.
- -| Field | -Description | -
|---|---|
-conditions- - -AnyAllConditions - - - |
-
- Multiple conditions can be declared under an |
-
-(Appears on: -Rule) -
--
ImageVerification validates that images that match the specified pattern -are signed with the supplied public key. Once the image is verified it is -mutated to include the SHA digest retrieved during the registration.
- -| Field | -Description | -
|---|---|
-imageReferences- -[]string - - |
-
- ImageReferences is a list of matching image reference patterns. At least one pattern in the -list must match the image for the rule to apply. Each image reference consists of a registry -address (defaults to docker.io), repository, image, and tag (defaults to latest). -Wildcards (‘*’ and ‘?’) are allowed. See: https://kubernetes.io/docs/concepts/containers/images. - |
-
-attestors- -[]github.com/kyverno/kyverno/api/kyverno/v1.AttestorSet - - |
-
- Attestors specified the required attestors (i.e. authorities) - |
-
-attestations- -[]github.com/kyverno/kyverno/api/kyverno/v1.Attestation - - |
-
- Attestations are optional checks for signed in-toto Statements used to verify the image. -See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the -OCI registry and decodes them into a list of Statement declarations. - |
-
-repository- -string - - |
-
- Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. -If specified Repository will override the default OCI image repository configured for the installation. -The repository can also be overridden per Attestor or Attestation. - |
-
-mutateDigest- -bool - - |
-
- MutateDigest enables replacement of image tags with digests. -Defaults to true. - |
-
-verifyDigest- -bool - - |
-
- VerifyDigest validates that images have a digest. - |
-
-required- -bool - - |
-
- Required validates that images are verified i.e. have matched passed a signature or attestation check. - |
-
-(Appears on: -Rule) -
--
MatchResources is used to specify resource and admission review request data for -which a policy rule is applicable.
- -| Field | -Description | -
|---|---|
-any- -github.com/kyverno/kyverno/api/kyverno/v1.ResourceFilters - - |
-
-(Optional)
- Any allows specifying resources which will be ORed - |
-
-all- -github.com/kyverno/kyverno/api/kyverno/v1.ResourceFilters - - |
-
-(Optional)
- All allows specifying resources which will be ANDed - |
-
-(Appears on: -ResourceFilter) -
--
ResourceDescription contains criteria used to match resources.
- -| Field | -Description | -
|---|---|
-kinds- -[]string - - |
-
-(Optional)
- Kinds is a list of resource kinds. - |
-
-names- -[]string - - |
-
-(Optional)
- Names are the names of the resources. Each name supports wildcard characters -“*” (matches zero or many characters) and “?” (at least one character). - |
-
-namespaces- -[]string - - |
-
-(Optional)
- Namespaces is a list of namespaces names. Each name supports wildcard characters -“*” (matches zero or many characters) and “?” (at least one character). - |
-
-annotations- -map[string]string - - |
-
-(Optional)
- Annotations is a map of annotations (key-value pairs of type string). Annotation keys -and values support the wildcard characters “*” (matches zero or many characters) and -“?” (matches at least one character). - |
-
-selector- - -Kubernetes meta/v1.LabelSelector - - - |
-
-(Optional)
- Selector is a label selector. Label keys and values in |
-
-namespaceSelector- - -Kubernetes meta/v1.LabelSelector - - - |
-
-(Optional)
- NamespaceSelector is a label selector for the resource namespace. Label keys and values
-in |
-
-
ResourceFilter allow users to “AND” or “OR” between resources
- -| Field | -Description | -
|---|---|
-UserInfo- -github.com/kyverno/kyverno/api/kyverno/v1.UserInfo - - |
-
-(Optional)
- UserInfo contains information about the user performing the operation. - |
-
-resources- - -ResourceDescription - - - |
-
- ResourceDescription contains information about the resource being created or modified. - |
-
[]./api/kyverno/v2beta1.ResourceFilter alias)-
ResourceFilters is a slice of ResourceFilter
- --(Appears on: -Spec) -
--
Rule defines a validation, mutation, or generation control for matching resources. -Each rules contains a match declaration to select resources, and an optional exclude -declaration to specify which resources to exclude.
- -| Field | -Description | -
|---|---|
-name- -string - - |
-
- Name is a label to identify the rule, It must be unique within the policy. - |
-
-context- -[]github.com/kyverno/kyverno/api/kyverno/v1.ContextEntry - - |
-
-(Optional)
- Context defines variables and data sources that can be used during rule execution. - |
-
-match- - -MatchResources - - - |
-
- MatchResources defines when this policy rule should be applied. The match -criteria can include resource information (e.g. kind, name, namespace, labels) -and admission review request information like the user name or role. -At least one kind is required. - |
-
-exclude- - -MatchResources - - - |
-
-(Optional)
- ExcludeResources defines when this policy rule should not be applied. The exclude -criteria can include resource information (e.g. kind, name, namespace, labels) -and admission review request information like the name or role. - |
-
-imageExtractors- -github.com/kyverno/kyverno/api/kyverno/v1.ImageExtractorConfigs - - |
-
-(Optional)
- ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. -This config is only valid for verifyImages rules. - |
-
-preconditions- - -AnyAllConditions - - - |
-
-(Optional)
- Preconditions are used to determine if a policy rule should be applied by evaluating a
-set of conditions. The declaration can contain nested |
-
-mutate- -github.com/kyverno/kyverno/api/kyverno/v1.Mutation - - |
-
-(Optional)
- Mutation is used to modify matching resources. - |
-
-validate- - -Validation - - - |
-
-(Optional)
- Validation is used to validate matching resources. - |
-
-generate- -github.com/kyverno/kyverno/api/kyverno/v1.Generation - - |
-
-(Optional)
- Generation is used to create new resources. - |
-
-verifyImages- - -[]ImageVerification - - - |
-
-(Optional)
- VerifyImages is used to verify image signatures and mutate them to add a digest - |
-
-(Appears on: -ClusterPolicy, -Policy) -
--
Spec contains a list of Rule instances and other policy controls.
- -| Field | -Description | -
|---|---|
-rules- - -[]Rule - - - |
-
- Rules is a list of Rule instances. A Policy contains multiple rules and -each rule can validate, mutate, or generate resources. - |
-
-applyRules- -github.com/kyverno/kyverno/api/kyverno/v1.ApplyRulesType - - |
-
-(Optional)
- ApplyRules controls how rules in a policy are applied. Rule are processed in
-the order of declaration. When set to |
-
-failurePolicy- -github.com/kyverno/kyverno/api/kyverno/v1.FailurePolicyType - - |
-
-(Optional)
- FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. -Rules within the same policy share the same failure behavior. -Allowed values are Ignore or Fail. Defaults to Fail. - |
-
-validationFailureAction- -github.com/kyverno/kyverno/api/kyverno/v1.ValidationFailureAction - - |
-
-(Optional)
- ValidationFailureAction defines if a validation policy rule violation should block -the admission review request (enforce), or allow (audit) the admission review request -and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”. - |
-
-validationFailureActionOverrides- -[]github.com/kyverno/kyverno/api/kyverno/v1.ValidationFailureActionOverride - - |
-
-(Optional)
- ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction -namespace-wise. It overrides ValidationFailureAction for the specified namespaces. - |
-
-background- -bool - - |
-
-(Optional)
- Background controls if rules are applied to existing resources during a background scan. -Optional. Default value is “true”. The value must be set to “false” if the policy rule -uses variables that are only available in the admission review request (e.g. user name). - |
-
-schemaValidation- -bool - - |
-
-(Optional)
- SchemaValidation skips policy validation checks. -Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks. - |
-
-webhookTimeoutSeconds- -int32 - - |
-
- WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. -After the configured time expires, the admission request may fail, or may simply ignore the policy results, -based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. - |
-
-mutateExistingOnPolicyUpdate- -bool - - |
-
-(Optional)
- MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. -Default value is “false”. - |
-
-generateExistingOnPolicyUpdate- -bool - - |
-
-(Optional)
- GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources -If is set to “true” generate rule will be triggered and applied to existing matched resources. -Defaults to “false” if not specified. - |
-
-(Appears on: -Rule) -
--
Validation defines checks to be performed on matching resources.
- -| Field | -Description | -
|---|---|
-message- -string - - |
-
-(Optional)
- Message specifies a custom message to be displayed on failure. - |
-
-manifests- -github.com/kyverno/kyverno/api/kyverno/v1.Manifests - - |
-
-(Optional)
- Manifest specifies conditions for manifest verification - |
-
-foreach- -[]github.com/kyverno/kyverno/api/kyverno/v1.ForEachValidation - - |
-
-(Optional)
- ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. - |
-
-pattern- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- Pattern specifies an overlay-style pattern used to check resources. - |
-
-anyPattern- - -Kubernetes apiextensions/v1.JSON - - - |
-
-(Optional)
- AnyPattern specifies list of validation patterns. At least one of the patterns -must be satisfied for the validation rule to succeed. - |
-
-deny- - -Deny - - - |
-
-(Optional)
- Deny defines conditions used to pass or fail a validation rule. - |
-
-podSecurity- -github.com/kyverno/kyverno/api/kyverno/v1.PodSecurity - - |
-
-(Optional)
- PodSecurity applies exemptions for Kubernetes Pod Security admission -by specifying exclusions for Pod Security Standards controls. - |
-
{{ fieldName . }}
- (Members of {{ fieldName . }} are embedded into this type.)
-
metadata field.
- {{ end }}
-
- {{ if or (eq (fieldName .) "spec") }}
- - {{ safe (renderComments .) }} -
- {{ end }} - {{ end }} - - Resource Types: -{{.Underlying}} alias){{ end -}}
-- (Appears on: - {{- $prev := "" -}} - {{- range . -}} - {{- if $prev -}}, {{ end -}} - {{ $prev = . }} - {{ typeDisplayName . }} - {{- end -}} - ) -
-{{ end }} - - -- {{ safe (renderComments .CommentLines) }} -
- -{{ if .Members }} -| Field | -Description | -
|---|---|
- apiVersion- string |
-
-
- {{apiGroup .}}
-
- |
-
- kind- string - |
- {{.Name.Name}} |
-