mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 02:45:06 +00:00
update crd manifests
This commit is contained in:
Shuting Zhao
parent
46b1b7a0a0
commit
1e00ef27d0
6 changed files with 1312 additions and 830 deletions
File diff suppressed because it is too large
Load diff
|
|
@ -48,20 +48,26 @@ spec:
|
|||
background:
|
||||
default: true
|
||||
description: Background controls if rules are applied to existing
|
||||
resources during a background scan. Default value is "true".
|
||||
resources during a background scan. Optional. Default value is "true".
|
||||
The value must be set to "false" if the policy rule uses variables
|
||||
that are only available in the admission review request (e.g. user
|
||||
name).
|
||||
type: boolean
|
||||
rules:
|
||||
description: Rules contains the list of rules to be applied to resources.
|
||||
description: Rules is a list of Rule instances
|
||||
items:
|
||||
description: Rule contains a mutation, validation, or generation
|
||||
action for the single resource description.
|
||||
description: Rule defines a validation, mutation, or generation
|
||||
control for matching resources.
|
||||
properties:
|
||||
context:
|
||||
description: Defines variables that can be used during rule
|
||||
execution.
|
||||
description: Context defines data sources and variables that
|
||||
can be used during rule execution.
|
||||
items:
|
||||
description: ContextEntry adds variables and data sources
|
||||
to a rule Context
|
||||
properties:
|
||||
configMap:
|
||||
description: ConfigMapReference refers to a ConfigMap
|
||||
properties:
|
||||
name:
|
||||
type: string
|
||||
|
|
@ -73,37 +79,46 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
exclude:
|
||||
description: Selects resources for which the policy rule should
|
||||
not be applied.
|
||||
description: ExcludeResources selects resources to which the
|
||||
policy rule should not be applied.
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: Specifies list of cluster wide role names.
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: Specifies resources to which rule is excluded.
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Specifies map of annotations.
|
||||
description: Annotations is a map of annotations (string
|
||||
key-value pairs). Annotation values supports wildcard
|
||||
characters "*" (matches zero or many characters) and
|
||||
"?" (at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Specifies list of resource kind.
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: Specifies name of the resource.
|
||||
description: Name is the name of the resource. The name
|
||||
supports wildcard characters "*" (matches zero or
|
||||
many characters) and "?" (at least one character).
|
||||
type: string
|
||||
namespaces:
|
||||
description: Specifies list of namespaces.
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: Specifies the set of selectors.
|
||||
description: Selector is a label selector.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
|
|
@ -150,13 +165,14 @@ spec:
|
|||
type: object
|
||||
type: object
|
||||
roles:
|
||||
description: Specifies list of namespaced role names.
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Specifies list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
|
|
@ -192,73 +208,85 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
generate:
|
||||
description: Generates new resources.
|
||||
description: Generation creates new resources.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: Specifies resource apiVersion.
|
||||
description: APIVersion specifies resource apiVersion.
|
||||
type: string
|
||||
clone:
|
||||
description: To clone resource from other resource.
|
||||
description: Clone specified the source resource used to
|
||||
populate each generated resource. Exactly one of Data
|
||||
or Clone must be specified.
|
||||
properties:
|
||||
name:
|
||||
description: Specifies name of the resource.
|
||||
description: Name specifies name of the resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Specifies resource namespace.
|
||||
description: Namespace specifies source resource namespace.
|
||||
type: string
|
||||
type: object
|
||||
data:
|
||||
description: Data specifies the resource manifest to be
|
||||
generated.
|
||||
description: Data provides the resource manifest to used
|
||||
to populate each generated resource. Exactly one of Data
|
||||
or Clone must be specified.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
kind:
|
||||
description: Specifies resource kind.
|
||||
description: Kind specifies resource kind.
|
||||
type: string
|
||||
name:
|
||||
description: Specifies resource name.
|
||||
description: Name specifies the resource name.
|
||||
type: string
|
||||
namespace:
|
||||
description: Specifies resource namespace.
|
||||
description: Namespace specifies resource namespace.
|
||||
type: string
|
||||
synchronize:
|
||||
default: false
|
||||
description: To keep resources synchronized with source
|
||||
resource.
|
||||
description: Synchronize controls if generated resources
|
||||
should be kept in-sync with their source resource. Optional.
|
||||
Defaults to "false" if not specified.
|
||||
type: boolean
|
||||
type: object
|
||||
match:
|
||||
description: Selects resources for which the policy rule should
|
||||
be applied. If it's defined, "kinds" inside MatchResources
|
||||
block is required.
|
||||
description: MatchResources selects resources to which the policy
|
||||
rule should be applied. At least one kind is required.
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: Specifies list of cluster wide role names.
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: Specifies resources to which rule is applied.
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Specifies map of annotations.
|
||||
description: Annotations is a map of annotations (string
|
||||
key-value pairs). Annotation values supports wildcard
|
||||
characters "*" (matches zero or many characters) and
|
||||
"?" (at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Specifies list of resource kind.
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: Specifies name of the resource.
|
||||
description: Name is the name of the resource. The name
|
||||
supports wildcard characters "*" (matches zero or
|
||||
many characters) and "?" (at least one character).
|
||||
type: string
|
||||
namespaces:
|
||||
description: Specifies list of namespaces.
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: Specifies the set of selectors.
|
||||
description: Selector is a label selector.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
|
|
@ -305,13 +333,14 @@ spec:
|
|||
type: object
|
||||
type: object
|
||||
roles:
|
||||
description: Specifies list of namespaced role names.
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Specifies list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
|
|
@ -347,161 +376,192 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
mutate:
|
||||
description: Modifies matching resources.
|
||||
description: Mutation modifies matching resources.
|
||||
properties:
|
||||
overlay:
|
||||
description: Specifies overlay patterns. Overlay is preserved
|
||||
for backwards compatibility and will be removed in Kyverno
|
||||
1.5+.
|
||||
description: Overlay specifies an overlay pattern to modify
|
||||
resources. DEPRECATED. Use PatchStrategicMerge instead.
|
||||
Scheduled for removal in release 1.5+.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchStrategicMerge:
|
||||
description: PatchStrategicMerge is a strategic merge patch
|
||||
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patches:
|
||||
description: Specifies JSON Patch. Patches is preserved
|
||||
for backwards compatibility and will be removed in Kyverno
|
||||
1.5+.
|
||||
description: Patches specifies a RFC 6902 JSON Patch to
|
||||
modify resources. DEPRECATED. Use PatchesJSON6902 instead.
|
||||
Scheduled for removal in release 1.5+.
|
||||
items:
|
||||
description: Patch declares patch operation for created
|
||||
object according to RFC 6902.
|
||||
description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902'
|
||||
properties:
|
||||
op:
|
||||
description: Specifies operations supported by JSON
|
||||
Patch. i.e:- add, replace and delete.
|
||||
description: Operation specifies operations supported
|
||||
by JSON Patch. i.e:- add, replace and delete.
|
||||
type: string
|
||||
path:
|
||||
description: Specifies path of the resource.
|
||||
description: Path specifies path of the resource.
|
||||
type: string
|
||||
value:
|
||||
description: Specifies the value to be applied.
|
||||
description: Value specifies the value to be applied.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
||||
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
type: object
|
||||
name:
|
||||
description: A unique label for the rule.
|
||||
description: Name is a label to identify the rule, Must be unique
|
||||
within the policy.
|
||||
type: string
|
||||
preconditions:
|
||||
description: Allows condition-based control of the policy rule
|
||||
description: Conditions enabled variable-based conditional rule
|
||||
execution.
|
||||
items:
|
||||
description: Condition defines the evaluation condition.
|
||||
description: Condition defines variable-based conditional
|
||||
criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key contains key to compare.
|
||||
description: Key is the context entry (using JMESPath)
|
||||
for conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
operator:
|
||||
description: Operator to compare against value.
|
||||
description: Operator is the operation to perform.
|
||||
type: string
|
||||
value:
|
||||
description: Value to be compared.
|
||||
description: Value is the conditional value, or set of
|
||||
values. The values can be fixed set or can be variables
|
||||
declared using using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
validate:
|
||||
description: Checks matching resources.
|
||||
description: Validation checks matching resources.
|
||||
properties:
|
||||
anyPattern:
|
||||
description: Specifies list of validation patterns.
|
||||
description: AnyPattern specifies list of validation patterns.
|
||||
At least one of the patterns must be satisfied for the
|
||||
validation rule to succeed.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
deny:
|
||||
description: Specifies conditions to deny validation.
|
||||
description: Deny defines conditions to fail the validation
|
||||
rule.
|
||||
properties:
|
||||
conditions:
|
||||
description: Specifies set of condition to deny.
|
||||
items:
|
||||
description: Condition defines the evaluation condition.
|
||||
description: Condition defines variable-based conditional
|
||||
criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key contains key to compare.
|
||||
description: Key is the context entry (using JMESPath)
|
||||
for conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
operator:
|
||||
description: Operator to compare against value.
|
||||
description: Operator is the operation to perform.
|
||||
type: string
|
||||
value:
|
||||
description: Value to be compared.
|
||||
description: Value is the conditional value, or
|
||||
set of values. The values can be fixed set or
|
||||
can be variables declared using using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
message:
|
||||
description: Specifies message to be displayed on validation
|
||||
policy violation.
|
||||
description: Message specifies a custom message to be displayed
|
||||
on failure.
|
||||
type: string
|
||||
pattern:
|
||||
description: Specifies validation pattern.
|
||||
description: Pattern specifies an overlay-style pattern
|
||||
used to check resources.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
type: array
|
||||
validationFailureAction:
|
||||
default: audit
|
||||
description: ValidationFailureAction controls if a policy failure
|
||||
should not disallow an admission review request (enforce), or allow
|
||||
(audit) and report an error. Default value is "audit".
|
||||
description: ValidationFailureAction controls if a validation policy
|
||||
rule failure should disallow the admission review request (enforce),
|
||||
or allow (audit) the admission review request and report an error
|
||||
in a policy report. Optional. The default value is "audit".
|
||||
type: string
|
||||
type: object
|
||||
status:
|
||||
description: Status contains statistics related to policy
|
||||
properties:
|
||||
averageExecutionTime:
|
||||
description: Average time required to process the policy rules on
|
||||
a resource.
|
||||
description: AvgExecutionTime is the average time taken to process
|
||||
the policy rules on a resource.
|
||||
type: string
|
||||
resourcesBlockedCount:
|
||||
description: Count of resources that were blocked for failing a validate,
|
||||
across all rules.
|
||||
description: ResourcesBlockedCount is the total count of admission
|
||||
review requests that were blocked by this policy.
|
||||
type: integer
|
||||
resourcesGeneratedCount:
|
||||
description: Count of resources that were successfully generated,
|
||||
across all rules.
|
||||
description: ResourcesGeneratedCount is the total count of resources
|
||||
that were generated by this policy.
|
||||
type: integer
|
||||
resourcesMutatedCount:
|
||||
description: Count of resources that were successfully mutated, across
|
||||
all rules.
|
||||
description: ResourcesMutatedCount is the total count of resources
|
||||
that were mutated by this policy.
|
||||
type: integer
|
||||
ruleStatus:
|
||||
description: Rules provides per rule statistics
|
||||
items:
|
||||
description: RuleStats provides status per rule.
|
||||
description: RuleStats provides statistics for an individual rule
|
||||
within a policy.
|
||||
properties:
|
||||
appliedCount:
|
||||
description: Count of rules that were applied.
|
||||
description: AppliedCount is the total number of times this
|
||||
rule was applied.
|
||||
type: integer
|
||||
averageExecutionTime:
|
||||
description: Average time require to process the rule.
|
||||
description: ExecutionTime is the average time taken to execute
|
||||
this rule.
|
||||
type: string
|
||||
failedCount:
|
||||
description: Count of rules that failed.
|
||||
description: FailedCount is the total count of policy error
|
||||
results for this rule.
|
||||
type: integer
|
||||
resourcesBlockedCount:
|
||||
description: Count of resources for whom update/create api requests
|
||||
were blocked as the resource did not satisfy the policy rules.
|
||||
description: ResourcesBlockedCount is the total count of admission
|
||||
review requests that were blocked by this rule.
|
||||
type: integer
|
||||
resourcesGeneratedCount:
|
||||
description: Count of resources that were successfully generated.
|
||||
description: ResourcesGeneratedCount is the total count of resources
|
||||
that were generated by this rule.
|
||||
type: integer
|
||||
resourcesMutatedCount:
|
||||
description: Count of resources that were successfully mutated.
|
||||
description: ResourcesMutatedCount is the total count of resources
|
||||
that were mutated by this rule.
|
||||
type: integer
|
||||
ruleName:
|
||||
description: Rule name.
|
||||
description: Name is the rule name.
|
||||
type: string
|
||||
violationCount:
|
||||
description: Number of violations created by this rule.
|
||||
description: ViolationCount is the total count of policy failure
|
||||
results for this rule.
|
||||
type: integer
|
||||
required:
|
||||
- ruleName
|
||||
type: object
|
||||
type: array
|
||||
rulesAppliedCount:
|
||||
description: Count of rules that were applied.
|
||||
description: RulesAppliedCount is the total number of times this policy
|
||||
was applied.
|
||||
type: integer
|
||||
rulesFailedCount:
|
||||
description: Count of rules that failed.
|
||||
description: RulesFailedCount is the total count of policy execution
|
||||
errors for this policy.
|
||||
type: integer
|
||||
violationCount:
|
||||
description: Number of violations created by this policy.
|
||||
description: ViolationCount is the total count of policy failure results
|
||||
for this policy.
|
||||
type: integer
|
||||
type: object
|
||||
required:
|
||||
|
|
|
|||
|
|
@ -96,16 +96,16 @@ spec:
|
|||
request
|
||||
properties:
|
||||
apiVersion:
|
||||
description: Specifies resource apiVersion.
|
||||
description: APIVersion specifies resource apiVersion.
|
||||
type: string
|
||||
kind:
|
||||
description: Specifies resource kind.
|
||||
description: Kind specifies resource kind.
|
||||
type: string
|
||||
name:
|
||||
description: Specifies resource name.
|
||||
description: Name specifies the resource name.
|
||||
type: string
|
||||
namespace:
|
||||
description: Specifies resource namespace.
|
||||
description: Namespace specifies resource namespace.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
|
|
@ -120,19 +120,19 @@ spec:
|
|||
description: This will track the resources that are generated by the
|
||||
generate Policy Will be used during clean up resources
|
||||
items:
|
||||
description: ResourceSpec information to identify the resource.
|
||||
description: ResourceSpec contains information to identify a resource.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: Specifies resource apiVersion.
|
||||
description: APIVersion specifies resource apiVersion.
|
||||
type: string
|
||||
kind:
|
||||
description: Specifies resource kind.
|
||||
description: Kind specifies resource kind.
|
||||
type: string
|
||||
name:
|
||||
description: Specifies resource name.
|
||||
description: Name specifies the resource name.
|
||||
type: string
|
||||
namespace:
|
||||
description: Specifies resource namespace.
|
||||
description: Namespace specifies resource namespace.
|
||||
type: string
|
||||
type: object
|
||||
type: array
|
||||
|
|
|
|||
|
|
@ -28,7 +28,9 @@ spec:
|
|||
name: v1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Policy contains rules to be applied to created resources.
|
||||
description: 'Policy declares validation, mutation, and generation behaviors
|
||||
for matching resources. See: https://kyverno.io/docs/writing-policies/ for
|
||||
more information.'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
|
|
@ -43,25 +45,31 @@ spec:
|
|||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: Spec is the information to identify the policy.
|
||||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
background:
|
||||
default: true
|
||||
description: Background controls if rules are applied to existing
|
||||
resources during a background scan. Default value is "true".
|
||||
resources during a background scan. Optional. Default value is "true".
|
||||
The value must be set to "false" if the policy rule uses variables
|
||||
that are only available in the admission review request (e.g. user
|
||||
name).
|
||||
type: boolean
|
||||
rules:
|
||||
description: Rules contains the list of rules to be applied to resources.
|
||||
description: Rules is a list of Rule instances
|
||||
items:
|
||||
description: Rule contains a mutation, validation, or generation
|
||||
action for the single resource description.
|
||||
description: Rule defines a validation, mutation, or generation
|
||||
control for matching resources.
|
||||
properties:
|
||||
context:
|
||||
description: Defines variables that can be used during rule
|
||||
execution.
|
||||
description: Context defines data sources and variables that
|
||||
can be used during rule execution.
|
||||
items:
|
||||
description: ContextEntry adds variables and data sources
|
||||
to a rule Context
|
||||
properties:
|
||||
configMap:
|
||||
description: ConfigMapReference refers to a ConfigMap
|
||||
properties:
|
||||
name:
|
||||
type: string
|
||||
|
|
@ -73,37 +81,46 @@ spec:
|
|||
type: object
|
||||
type: array
|
||||
exclude:
|
||||
description: Selects resources for which the policy rule should
|
||||
not be applied.
|
||||
description: ExcludeResources selects resources to which the
|
||||
policy rule should not be applied.
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: Specifies list of cluster wide role names.
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: Specifies resources to which rule is excluded.
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Specifies map of annotations.
|
||||
description: Annotations is a map of annotations (string
|
||||
key-value pairs). Annotation values supports wildcard
|
||||
characters "*" (matches zero or many characters) and
|
||||
"?" (at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Specifies list of resource kind.
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: Specifies name of the resource.
|
||||
description: Name is the name of the resource. The name
|
||||
supports wildcard characters "*" (matches zero or
|
||||
many characters) and "?" (at least one character).
|
||||
type: string
|
||||
namespaces:
|
||||
description: Specifies list of namespaces.
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: Specifies the set of selectors.
|
||||
description: Selector is a label selector.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
|
|
@ -150,13 +167,14 @@ spec:
|
|||
type: object
|
||||
type: object
|
||||
roles:
|
||||
description: Specifies list of namespaced role names.
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Specifies list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
|
|
@ -192,73 +210,85 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
generate:
|
||||
description: Generates new resources.
|
||||
description: Generation creates new resources.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: Specifies resource apiVersion.
|
||||
description: APIVersion specifies resource apiVersion.
|
||||
type: string
|
||||
clone:
|
||||
description: To clone resource from other resource.
|
||||
description: Clone specified the source resource used to
|
||||
populate each generated resource. Exactly one of Data
|
||||
or Clone must be specified.
|
||||
properties:
|
||||
name:
|
||||
description: Specifies name of the resource.
|
||||
description: Name specifies name of the resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Specifies resource namespace.
|
||||
description: Namespace specifies source resource namespace.
|
||||
type: string
|
||||
type: object
|
||||
data:
|
||||
description: Data specifies the resource manifest to be
|
||||
generated.
|
||||
description: Data provides the resource manifest to used
|
||||
to populate each generated resource. Exactly one of Data
|
||||
or Clone must be specified.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
kind:
|
||||
description: Specifies resource kind.
|
||||
description: Kind specifies resource kind.
|
||||
type: string
|
||||
name:
|
||||
description: Specifies resource name.
|
||||
description: Name specifies the resource name.
|
||||
type: string
|
||||
namespace:
|
||||
description: Specifies resource namespace.
|
||||
description: Namespace specifies resource namespace.
|
||||
type: string
|
||||
synchronize:
|
||||
default: false
|
||||
description: To keep resources synchronized with source
|
||||
resource.
|
||||
description: Synchronize controls if generated resources
|
||||
should be kept in-sync with their source resource. Optional.
|
||||
Defaults to "false" if not specified.
|
||||
type: boolean
|
||||
type: object
|
||||
match:
|
||||
description: Selects resources for which the policy rule should
|
||||
be applied. If it's defined, "kinds" inside MatchResources
|
||||
block is required.
|
||||
description: MatchResources selects resources to which the policy
|
||||
rule should be applied. At least one kind is required.
|
||||
properties:
|
||||
clusterRoles:
|
||||
description: Specifies list of cluster wide role names.
|
||||
description: ClusterRoles is the list of cluster-wide role
|
||||
names for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
resources:
|
||||
description: Specifies resources to which rule is applied.
|
||||
description: ResourceDescription contains information about
|
||||
the resource being created or modified.
|
||||
properties:
|
||||
annotations:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: Specifies map of annotations.
|
||||
description: Annotations is a map of annotations (string
|
||||
key-value pairs). Annotation values supports wildcard
|
||||
characters "*" (matches zero or many characters) and
|
||||
"?" (at least one character).
|
||||
type: object
|
||||
kinds:
|
||||
description: Specifies list of resource kind.
|
||||
description: Kinds is a list of resource kinds.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
name:
|
||||
description: Specifies name of the resource.
|
||||
description: Name is the name of the resource. The name
|
||||
supports wildcard characters "*" (matches zero or
|
||||
many characters) and "?" (at least one character).
|
||||
type: string
|
||||
namespaces:
|
||||
description: Specifies list of namespaces.
|
||||
description: Namespaces is a list of namespaces names.
|
||||
Each name supports wildcard characters "*" (matches
|
||||
zero or many characters) and "?" (at least one character).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
selector:
|
||||
description: Specifies the set of selectors.
|
||||
description: Selector is a label selector.
|
||||
properties:
|
||||
matchExpressions:
|
||||
description: matchExpressions is a list of label
|
||||
|
|
@ -305,13 +335,14 @@ spec:
|
|||
type: object
|
||||
type: object
|
||||
roles:
|
||||
description: Specifies list of namespaced role names.
|
||||
description: Roles is the list of namespaced role names
|
||||
for the user.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
subjects:
|
||||
description: Specifies list of subject names like users,
|
||||
user groups, and service accounts.
|
||||
description: Subjects is the list of subject names like
|
||||
users, user groups, and service accounts.
|
||||
items:
|
||||
description: Subject contains a reference to the object
|
||||
or user identities a role binding applies to. This
|
||||
|
|
@ -347,161 +378,192 @@ spec:
|
|||
type: array
|
||||
type: object
|
||||
mutate:
|
||||
description: Modifies matching resources.
|
||||
description: Mutation modifies matching resources.
|
||||
properties:
|
||||
overlay:
|
||||
description: Specifies overlay patterns. Overlay is preserved
|
||||
for backwards compatibility and will be removed in Kyverno
|
||||
1.5+.
|
||||
description: Overlay specifies an overlay pattern to modify
|
||||
resources. DEPRECATED. Use PatchStrategicMerge instead.
|
||||
Scheduled for removal in release 1.5+.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchStrategicMerge:
|
||||
description: PatchStrategicMerge is a strategic merge patch
|
||||
used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patches:
|
||||
description: Specifies JSON Patch. Patches is preserved
|
||||
for backwards compatibility and will be removed in Kyverno
|
||||
1.5+.
|
||||
description: Patches specifies a RFC 6902 JSON Patch to
|
||||
modify resources. DEPRECATED. Use PatchesJSON6902 instead.
|
||||
Scheduled for removal in release 1.5+.
|
||||
items:
|
||||
description: Patch declares patch operation for created
|
||||
object according to RFC 6902.
|
||||
description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902'
|
||||
properties:
|
||||
op:
|
||||
description: Specifies operations supported by JSON
|
||||
Patch. i.e:- add, replace and delete.
|
||||
description: Operation specifies operations supported
|
||||
by JSON Patch. i.e:- add, replace and delete.
|
||||
type: string
|
||||
path:
|
||||
description: Specifies path of the resource.
|
||||
description: Path specifies path of the resource.
|
||||
type: string
|
||||
value:
|
||||
description: Specifies the value to be applied.
|
||||
description: Value specifies the value to be applied.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
patchesJson6902:
|
||||
description: PatchesJSON6902 is a list of RFC 6902 JSON
|
||||
Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
|
||||
and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
|
||||
type: string
|
||||
type: object
|
||||
name:
|
||||
description: A unique label for the rule.
|
||||
description: Name is a label to identify the rule, Must be unique
|
||||
within the policy.
|
||||
type: string
|
||||
preconditions:
|
||||
description: Allows condition-based control of the policy rule
|
||||
description: Conditions enabled variable-based conditional rule
|
||||
execution.
|
||||
items:
|
||||
description: Condition defines the evaluation condition.
|
||||
description: Condition defines variable-based conditional
|
||||
criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key contains key to compare.
|
||||
description: Key is the context entry (using JMESPath)
|
||||
for conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
operator:
|
||||
description: Operator to compare against value.
|
||||
description: Operator is the operation to perform.
|
||||
type: string
|
||||
value:
|
||||
description: Value to be compared.
|
||||
description: Value is the conditional value, or set of
|
||||
values. The values can be fixed set or can be variables
|
||||
declared using using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
validate:
|
||||
description: Checks matching resources.
|
||||
description: Validation checks matching resources.
|
||||
properties:
|
||||
anyPattern:
|
||||
description: Specifies list of validation patterns.
|
||||
description: AnyPattern specifies list of validation patterns.
|
||||
At least one of the patterns must be satisfied for the
|
||||
validation rule to succeed.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
deny:
|
||||
description: Specifies conditions to deny validation.
|
||||
description: Deny defines conditions to fail the validation
|
||||
rule.
|
||||
properties:
|
||||
conditions:
|
||||
description: Specifies set of condition to deny.
|
||||
items:
|
||||
description: Condition defines the evaluation condition.
|
||||
description: Condition defines variable-based conditional
|
||||
criteria for rule execution.
|
||||
properties:
|
||||
key:
|
||||
description: Key contains key to compare.
|
||||
description: Key is the context entry (using JMESPath)
|
||||
for conditional rule evaluation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
operator:
|
||||
description: Operator to compare against value.
|
||||
description: Operator is the operation to perform.
|
||||
type: string
|
||||
value:
|
||||
description: Value to be compared.
|
||||
description: Value is the conditional value, or
|
||||
set of values. The values can be fixed set or
|
||||
can be variables declared using using JMESPath.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: array
|
||||
type: object
|
||||
message:
|
||||
description: Specifies message to be displayed on validation
|
||||
policy violation.
|
||||
description: Message specifies a custom message to be displayed
|
||||
on failure.
|
||||
type: string
|
||||
pattern:
|
||||
description: Specifies validation pattern.
|
||||
description: Pattern specifies an overlay-style pattern
|
||||
used to check resources.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
type: object
|
||||
type: array
|
||||
validationFailureAction:
|
||||
default: audit
|
||||
description: ValidationFailureAction controls if a policy failure
|
||||
should not disallow an admission review request (enforce), or allow
|
||||
(audit) and report an error. Default value is "audit".
|
||||
description: ValidationFailureAction controls if a validation policy
|
||||
rule failure should disallow the admission review request (enforce),
|
||||
or allow (audit) the admission review request and report an error
|
||||
in a policy report. Optional. The default value is "audit".
|
||||
type: string
|
||||
type: object
|
||||
status:
|
||||
description: Status contains statistics related to policy.
|
||||
description: Status contains policy runtime data.
|
||||
properties:
|
||||
averageExecutionTime:
|
||||
description: Average time required to process the policy rules on
|
||||
a resource.
|
||||
description: AvgExecutionTime is the average time taken to process
|
||||
the policy rules on a resource.
|
||||
type: string
|
||||
resourcesBlockedCount:
|
||||
description: Count of resources that were blocked for failing a validate,
|
||||
across all rules.
|
||||
description: ResourcesBlockedCount is the total count of admission
|
||||
review requests that were blocked by this policy.
|
||||
type: integer
|
||||
resourcesGeneratedCount:
|
||||
description: Count of resources that were successfully generated,
|
||||
across all rules.
|
||||
description: ResourcesGeneratedCount is the total count of resources
|
||||
that were generated by this policy.
|
||||
type: integer
|
||||
resourcesMutatedCount:
|
||||
description: Count of resources that were successfully mutated, across
|
||||
all rules.
|
||||
description: ResourcesMutatedCount is the total count of resources
|
||||
that were mutated by this policy.
|
||||
type: integer
|
||||
ruleStatus:
|
||||
description: Rules provides per rule statistics
|
||||
items:
|
||||
description: RuleStats provides status per rule.
|
||||
description: RuleStats provides statistics for an individual rule
|
||||
within a policy.
|
||||
properties:
|
||||
appliedCount:
|
||||
description: Count of rules that were applied.
|
||||
description: AppliedCount is the total number of times this
|
||||
rule was applied.
|
||||
type: integer
|
||||
averageExecutionTime:
|
||||
description: Average time require to process the rule.
|
||||
description: ExecutionTime is the average time taken to execute
|
||||
this rule.
|
||||
type: string
|
||||
failedCount:
|
||||
description: Count of rules that failed.
|
||||
description: FailedCount is the total count of policy error
|
||||
results for this rule.
|
||||
type: integer
|
||||
resourcesBlockedCount:
|
||||
description: Count of resources for whom update/create api requests
|
||||
were blocked as the resource did not satisfy the policy rules.
|
||||
description: ResourcesBlockedCount is the total count of admission
|
||||
review requests that were blocked by this rule.
|
||||
type: integer
|
||||
resourcesGeneratedCount:
|
||||
description: Count of resources that were successfully generated.
|
||||
description: ResourcesGeneratedCount is the total count of resources
|
||||
that were generated by this rule.
|
||||
type: integer
|
||||
resourcesMutatedCount:
|
||||
description: Count of resources that were successfully mutated.
|
||||
description: ResourcesMutatedCount is the total count of resources
|
||||
that were mutated by this rule.
|
||||
type: integer
|
||||
ruleName:
|
||||
description: Rule name.
|
||||
description: Name is the rule name.
|
||||
type: string
|
||||
violationCount:
|
||||
description: Number of violations created by this rule.
|
||||
description: ViolationCount is the total count of policy failure
|
||||
results for this rule.
|
||||
type: integer
|
||||
required:
|
||||
- ruleName
|
||||
type: object
|
||||
type: array
|
||||
rulesAppliedCount:
|
||||
description: Count of rules that were applied.
|
||||
description: RulesAppliedCount is the total number of times this policy
|
||||
was applied.
|
||||
type: integer
|
||||
rulesFailedCount:
|
||||
description: Count of rules that failed.
|
||||
description: RulesFailedCount is the total count of policy execution
|
||||
errors for this policy.
|
||||
type: integer
|
||||
violationCount:
|
||||
description: Number of violations created by this policy.
|
||||
description: ViolationCount is the total count of policy failure results
|
||||
for this policy.
|
||||
type: integer
|
||||
type: object
|
||||
required:
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
Loading…
Add table
Reference in a new issue