mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: add global context crd to codegen (#9595)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-02-01 13:32:13 +01:00 committed by GitHub
parent 55587976d0
commit 1e0bac2d6f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 644 additions and 227 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Makefile
View file

@ -591,6 +591,7 @@ codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
$(call generate_crd,kyverno.io_clusterbackgroundscanreports.yaml,kyverno,kyverno.io,kyverno,clusterbackgroundscanreports)
$(call generate_crd,kyverno.io_clustercleanuppolicies.yaml,kyverno,kyverno.io,kyverno,clustercleanuppolicies)
$(call generate_crd,kyverno.io_clusterpolicies.yaml,kyverno,kyverno.io,kyverno,clusterpolicies)
$(call generate_crd,kyverno.io_globalcontextentries.yaml,kyverno,kyverno.io,kyverno,globalcontextentries)
$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)

46
api/kyverno/v1/common_types.go
View file

@ -184,52 +184,6 @@ type GlobalContextEntryReference struct {
JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
}
// KubernetesResource stores infos about kubernetes resource that should be cached
type KubernetesResource struct {
// Group defines the group of the resource
Group string `json:"group,omitempty" yaml:"group,omitempty"`
// Version defines the version of the resource
Version string `json:"version,omitempty" yaml:"version,omitempty"`
// Resource defines the type of the resource
Resource string `json:"resource,omitempty" yaml:"resource,omitempty"`
// Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
// +kubebuilder:validation:Optional
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
}
// Validate implements programmatic validation
func (k *KubernetesResource) Validate(path *field.Path) (errs field.ErrorList) {
if k.Group == "" {
errs = append(errs, field.Required(path.Child("group"), "An Resource entry requires a group"))
}
if k.Version == "" {
errs = append(errs, field.Required(path.Child("version"), "An Resource entry requires a version"))
}
if k.Resource == "" {
errs = append(errs, field.Required(path.Child("resource"), "An Resource entry requires a resource"))
}
return errs
}
// ExternalAPICall stores infos about API call that should be cached
type ExternalAPICall struct {
APICall `json:",inline,omitempty" yaml:",inline,omitempty"`
// RefreshIntervalSeconds defines the interval at which to poll the APICall
// +kubebuilder:default=0
RefreshIntervalSeconds int64 `json:"refreshIntervalSeconds,omitempty" yaml:"refreshIntervalSeconds,omitempty"`
}
// Validate implements programmatic validation
func (e *ExternalAPICall) Validate(path *field.Path) (errs field.ErrorList) {
if e.Service.URL == "" {
errs = append(errs, field.Required(path.Child("url"), "An External API Call entry requires a url"))
}
if e.RefreshIntervalSeconds <= 0 {
errs = append(errs, field.Required(path.Child("refreshIntervalSeconds"), "An Resource entry requires a refresh interval greater than 0 seconds"))
}
return errs
}
type ServiceCall struct {
// URL is the JSON web service URL. A typical form is
// `https://{service}.{namespace}:{port}/{path}`.

33
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -516,23 +516,6 @@ func (in *DryRunOption) DeepCopy() *DryRunOption {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExternalAPICall) DeepCopyInto(out *ExternalAPICall) {
*out = *in
in.APICall.DeepCopyInto(&out.APICall)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAPICall.
func (in *ExternalAPICall) DeepCopy() *ExternalAPICall {
if in == nil {
return nil
}
out := new(ExternalAPICall)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) {
*out = *in
@ -876,22 +859,6 @@ func (in *KeylessAttestor) DeepCopy() *KeylessAttestor {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubernetesResource) DeepCopyInto(out *KubernetesResource) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesResource.
func (in *KubernetesResource) DeepCopy() *KubernetesResource {
if in == nil {
return nil
}
out := new(KubernetesResource)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Manifests) DeepCopyInto(out *Manifests) {
*out = *in

62
api/kyverno/v2alpha1/global_context_entry_types.go
View file

@ -29,15 +29,15 @@ import (
// GlobalContextEntry declares resources to be cached.
type GlobalContextEntry struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
metav1.TypeMeta `json:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec declares policy exception behaviors.
Spec GlobalContextEntrySpec `json:"spec" yaml:"spec"`
// Status contains globalcontextentry runtime data.
// +optional
Status GlobalContextEntryStatus `json:"status,omitempty" yaml:"status,omitempty"`
Status GlobalContextEntryStatus `json:"status,omitempty"`
}
// GetStatus returns the globalcontextentry status
@ -60,11 +60,11 @@ func (c *GlobalContextEntry) IsNamespaced() bool {
type GlobalContextEntrySpec struct {
// KubernetesResource stores infos about kubernetes resource that should be cached
// +kubebuilder:validation:Optional
KubernetesResource *kyvernov1.KubernetesResource `json:"kubernetesResource,omitempty" yaml:"kubernetesResource,omitempty"`
KubernetesResource *KubernetesResource `json:"kubernetesResource,omitempty"`
// APICall stores infos about API call that should be cached
// +kubebuilder:validation:Optional
APICall *kyvernov1.ExternalAPICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`
APICall *ExternalAPICall `json:"apiCall,omitempty"`
}
func (c *GlobalContextEntrySpec) IsAPICall() bool {
@ -94,7 +94,53 @@ func (c *GlobalContextEntrySpec) Validate(path *field.Path) (errs field.ErrorLis
// GlobalContextEntryList is a list of Cached Context Entries
type GlobalContextEntryList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`
Items []GlobalContextEntry `json:"items" yaml:"items"`
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []GlobalContextEntry `json:"items"`
}
// KubernetesResource stores infos about kubernetes resource that should be cached
type KubernetesResource struct {
// Group defines the group of the resource
Group string `json:"group,omitempty"`
// Version defines the version of the resource
Version string `json:"version,omitempty"`
// Resource defines the type of the resource
Resource string `json:"resource,omitempty"`
// Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
// +kubebuilder:validation:Optional
Namespace string `json:"namespace,omitempty"`
}
// Validate implements programmatic validation
func (k *KubernetesResource) Validate(path *field.Path) (errs field.ErrorList) {
if k.Group == "" {
errs = append(errs, field.Required(path.Child("group"), "An Resource entry requires a group"))
}
if k.Version == "" {
errs = append(errs, field.Required(path.Child("version"), "An Resource entry requires a version"))
}
if k.Resource == "" {
errs = append(errs, field.Required(path.Child("resource"), "An Resource entry requires a resource"))
}
return errs
}
// ExternalAPICall stores infos about API call that should be cached
type ExternalAPICall struct {
kyvernov1.APICall `json:",inline,omitempty"`
// RefreshIntervalSeconds defines the interval at which to poll the APICall
// +kubebuilder:default=0
RefreshIntervalSeconds int64 `json:"refreshIntervalSeconds,omitempty"`
}
// Validate implements programmatic validation
func (e *ExternalAPICall) Validate(path *field.Path) (errs field.ErrorList) {
if e.Service.URL == "" {
errs = append(errs, field.Required(path.Child("url"), "An External API Call entry requires a url"))
}
if e.RefreshIntervalSeconds <= 0 {
errs = append(errs, field.Required(path.Child("refreshIntervalSeconds"), "An Resource entry requires a refresh interval greater than 0 seconds"))
}
return errs
}

42
api/kyverno/v2alpha1/zz_generated.deepcopy.go
View file

@ -22,9 +22,8 @@ limitations under the License.
package v2alpha1
import (
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -150,6 +149,23 @@ func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExternalAPICall) DeepCopyInto(out *ExternalAPICall) {
*out = *in
in.APICall.DeepCopyInto(&out.APICall)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAPICall.
func (in *ExternalAPICall) DeepCopy() *ExternalAPICall {
if in == nil {
return nil
}
out := new(ExternalAPICall)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *GlobalContextEntry) DeepCopyInto(out *GlobalContextEntry) {
*out = *in
@ -216,12 +232,12 @@ func (in *GlobalContextEntrySpec) DeepCopyInto(out *GlobalContextEntrySpec) {
*out = *in
if in.KubernetesResource != nil {
in, out := &in.KubernetesResource, &out.KubernetesResource
*out = new(v1.KubernetesResource)
*out = new(KubernetesResource)
**out = **in
}
if in.APICall != nil {
in, out := &in.APICall, &out.APICall
*out = new(v1.ExternalAPICall)
*out = new(ExternalAPICall)
(*in).DeepCopyInto(*out)
}
return
@ -242,7 +258,7 @@ func (in *GlobalContextEntryStatus) DeepCopyInto(out *GlobalContextEntryStatus)
*out = *in
if in.Conditions != nil {
in, out := &in.Conditions, &out.Conditions
*out = make([]metav1.Condition, len(*in))
*out = make([]v1.Condition, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
@ -260,6 +276,22 @@ func (in *GlobalContextEntryStatus) DeepCopy() *GlobalContextEntryStatus {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubernetesResource) DeepCopyInto(out *KubernetesResource) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesResource.
func (in *KubernetesResource) DeepCopy() *KubernetesResource {
if in == nil {
return nil
}
out := new(KubernetesResource)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyException) DeepCopyInto(out *PolicyException) {
*out = *in

2
charts/kyverno/README.md
View file

@ -257,7 +257,7 @@ The chart values are organised per component.
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
| crds.groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` |
| crds.groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` |
| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
| crds.annotations | object | `{}` | Additional CRDs annotations |

2
charts/kyverno/charts/crds/README.md
View file

@ -6,7 +6,7 @@
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.kyverno | object | `{"admissionreports":true,"backgroundscanreports":true,"cleanuppolicies":true,"clusteradmissionreports":true,"clusterbackgroundscanreports":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |

209
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml Normal file
View file

@ -0,0 +1,209 @@
{{- if .Values.groups.kyverno.globalcontextentries }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
{{- include "kyverno.crds.labels" . | nindent 4 }}
annotations:
{{- with .Values.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
controller-gen.kubebuilder.io/version: v0.12.0
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: GlobalContextEntry
listKind: GlobalContextEntryList
plural: globalcontextentries
shortNames:
- gctxentry
singular: globalcontextentry
scope: Cluster
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: GlobalContextEntry declares resources to be cached.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
apiCall:
description: APICall stores infos about API call that should be cached
properties:
data:
description: Data specifies the POST data sent to the server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
jmesPath:
description: JMESPath is an optional JSON Match Expression that
can be used to transform the JSON response returned from the
server. For example a JMESPath of "items | length(@)" applied
to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all namespaces.
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
enum:
- GET
- POST
type: string
refreshIntervalSeconds:
default: 0
description: RefreshIntervalSeconds defines the interval at which
to poll the APICall
format: int64
type: integer
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which will
be used to validate the server certificate.
type: string
url:
description: URL is the JSON web service URL. A typical form
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP GET
or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required is the
same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
type: string
type: object
kubernetesResource:
description: KubernetesResource stores infos about kubernetes resource
that should be cached
properties:
group:
description: Group defines the group of the resource
type: string
namespace:
description: Namespace defines the namespace of the resource.
Leave empty for cluster scoped resources.
type: string
resource:
description: Resource defines the type of the resource
type: string
version:
description: Version defines the version of the resource
type: string
type: object
type: object
status:
description: Status contains globalcontextentry runtime data.
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
ready:
description: Deprecated in favor of Conditions
type: boolean
required:
- ready
type: object
required:
- spec
type: object
served: true
storage: true
{{- end }}

1
charts/kyverno/charts/crds/values.yaml
View file

@ -17,6 +17,7 @@ groups:
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true

1
charts/kyverno/values.yaml
View file

@ -73,6 +73,7 @@ crds:
clusterbackgroundscanreports: true
clustercleanuppolicies: true
clusterpolicies: true
globalcontextentries: true
policies: true
policyexceptions: true
updaterequests: true

209
config/install-latest-testing.yaml
View file

@ -28141,6 +28141,215 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: kyverno-crds
app.kubernetes.io/version: v0.0.0
helm.sh/chart: crds-v0.0.0
annotations:
controller-gen.kubebuilder.io/version: v0.12.0
name: globalcontextentries.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: GlobalContextEntry
listKind: GlobalContextEntryList
plural: globalcontextentries
shortNames:
- gctxentry
singular: globalcontextentry
scope: Cluster
versions:
- name: v2alpha1
schema:
openAPIV3Schema:
description: GlobalContextEntry declares resources to be cached.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec declares policy exception behaviors.
properties:
apiCall:
description: APICall stores infos about API call that should be cached
properties:
data:
description: Data specifies the POST data sent to the server.
items:
description: RequestData contains the HTTP POST data
properties:
key:
description: Key is a unique identifier for the data value
type: string
value:
description: Value is the data value
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
jmesPath:
description: JMESPath is an optional JSON Match Expression that
can be used to transform the JSON response returned from the
server. For example a JMESPath of "items | length(@)" applied
to the API server response for the URLPath "/apis/apps/v1/deployments"
will return the total count of deployments across all namespaces.
type: string
method:
default: GET
description: Method is the HTTP request type (GET or POST).
enum:
- GET
- POST
type: string
refreshIntervalSeconds:
default: 0
description: RefreshIntervalSeconds defines the interval at which
to poll the APICall
format: int64
type: integer
service:
description: Service is an API call to a JSON web service
properties:
caBundle:
description: CABundle is a PEM encoded CA bundle which will
be used to validate the server certificate.
type: string
url:
description: URL is the JSON web service URL. A typical form
is `https://{service}.{namespace}:{port}/{path}`.
type: string
required:
- url
type: object
urlPath:
description: URLPath is the URL path to be used in the HTTP GET
or POST request to the Kubernetes API server (e.g. "/api/v1/namespaces"
or "/apis/apps/v1/deployments"). The format required is the
same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
for details.
type: string
type: object
kubernetesResource:
description: KubernetesResource stores infos about kubernetes resource
that should be cached
properties:
group:
description: Group defines the group of the resource
type: string
namespace:
description: Namespace defines the namespace of the resource.
Leave empty for cluster scoped resources.
type: string
resource:
description: Resource defines the type of the resource
type: string
version:
description: Version defines the version of the resource
type: string
type: object
type: object
status:
description: Status contains globalcontextentry runtime data.
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource. --- This struct is intended for direct
use as an array at the field path .status.conditions. For example,
\n type FooStatus struct{ // Represents the observations of a
foo's current state. // Known .status.conditions.type are: \"Available\",
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
// +listType=map // +listMapKey=type Conditions []metav1.Condition
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
properties:
lastTransitionTime:
description: lastTransitionTime is the last time the condition
transitioned from one status to another. This should be when
the underlying condition changed. If that is not known, then
using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: message is a human readable message indicating
details about the transition. This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: observedGeneration represents the .metadata.generation
that the condition was set based upon. For instance, if .metadata.generation
is currently 12, but the .status.conditions[x].observedGeneration
is 9, the condition is out of date with respect to the current
state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: reason contains a programmatic identifier indicating
the reason for the condition's last transition. Producers
of specific condition types may define expected values and
meanings for this field, and whether the values are considered
a guaranteed API. The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: type of condition in CamelCase or in foo.example.com/CamelCase.
--- Many .condition.type values are consistent across resources
like Available, but because arbitrary conditions can be useful
(see .node.status.conditions), the ability to deconflict is
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
ready:
description: Deprecated in favor of Conditions
type: boolean
required:
- ready
type: object
required:
- spec
type: object
served: true
storage: true
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
app.kubernetes.io/component: crds

230
docs/user/crd/index.html
View file

@ -611,7 +611,7 @@ PolicyStatus
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.ContextEntry">ContextEntry</a>,
<a href="#kyverno.io/v1.ExternalAPICall">ExternalAPICall</a>)
<a href="#kyverno.io/v2alpha1.ExternalAPICall">ExternalAPICall</a>)
</p>
<p>
</p>
@ -1571,52 +1571,6 @@ string
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ExternalAPICall">ExternalAPICall
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.GlobalContextEntrySpec">GlobalContextEntrySpec</a>)
</p>
<p>
<p>ExternalAPICall stores infos about API call that should be cached</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>APICall</code><br/>
<em>
<a href="#kyverno.io/v1.APICall">
APICall
</a>
</em>
</td>
<td>
<p>
(Members of <code>APICall</code> are embedded into this type.)
</p>
</td>
</tr>
<tr>
<td>
<code>refreshIntervalSeconds</code><br/>
<em>
int64
</em>
</td>
<td>
<p>RefreshIntervalSeconds defines the interval at which to poll the APICall</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.FailurePolicyType">FailurePolicyType
(<code>string</code> alias)</p></h3>
<p>
@ -2605,70 +2559,6 @@ map[string]string
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.KubernetesResource">KubernetesResource
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.GlobalContextEntrySpec">GlobalContextEntrySpec</a>)
</p>
<p>
<p>KubernetesResource stores infos about kubernetes resource that should be cached</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>group</code><br/>
<em>
string
</em>
</td>
<td>
<p>Group defines the group of the resource</p>
</td>
</tr>
<tr>
<td>
<code>version</code><br/>
<em>
string
</em>
</td>
<td>
<p>Version defines the version of the resource</p>
</td>
</tr>
<tr>
<td>
<code>resource</code><br/>
<em>
string
</em>
</td>
<td>
<p>Resource defines the type of the resource</p>
</td>
</tr>
<tr>
<td>
<code>namespace</code><br/>
<em>
string
</em>
</td>
<td>
<p>Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.Manifests">Manifests
</h3>
<p>
@ -7907,7 +7797,7 @@ GlobalContextEntrySpec
<td>
<code>kubernetesResource</code><br/>
<em>
<a href="#kyverno.io/v1.KubernetesResource">
<a href="#kyverno.io/v2alpha1.KubernetesResource">
KubernetesResource
</a>
</em>
@ -7920,7 +7810,7 @@ KubernetesResource
<td>
<code>apiCall</code><br/>
<em>
<a href="#kyverno.io/v1.ExternalAPICall">
<a href="#kyverno.io/v2alpha1.ExternalAPICall">
ExternalAPICall
</a>
</em>
@ -8087,6 +7977,52 @@ Applicable only to policies that have validate.podSecurity subrule.</p>
<p>
<p>CleanupPolicyInterface abstracts the concrete policy type (CleanupPolicy vs ClusterCleanupPolicy)</p>
</p>
<h3 id="kyverno.io/v2alpha1.ExternalAPICall">ExternalAPICall
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.GlobalContextEntrySpec">GlobalContextEntrySpec</a>)
</p>
<p>
<p>ExternalAPICall stores infos about API call that should be cached</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>APICall</code><br/>
<em>
<a href="#kyverno.io/v1.APICall">
APICall
</a>
</em>
</td>
<td>
<p>
(Members of <code>APICall</code> are embedded into this type.)
</p>
</td>
</tr>
<tr>
<td>
<code>refreshIntervalSeconds</code><br/>
<em>
int64
</em>
</td>
<td>
<p>RefreshIntervalSeconds defines the interval at which to poll the APICall</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2alpha1.GlobalContextEntrySpec">GlobalContextEntrySpec
</h3>
<p>
@ -8108,7 +8044,7 @@ Applicable only to policies that have validate.podSecurity subrule.</p>
<td>
<code>kubernetesResource</code><br/>
<em>
<a href="#kyverno.io/v1.KubernetesResource">
<a href="#kyverno.io/v2alpha1.KubernetesResource">
KubernetesResource
</a>
</em>
@ -8121,7 +8057,7 @@ KubernetesResource
<td>
<code>apiCall</code><br/>
<em>
<a href="#kyverno.io/v1.ExternalAPICall">
<a href="#kyverno.io/v2alpha1.ExternalAPICall">
ExternalAPICall
</a>
</em>
@ -8176,6 +8112,70 @@ bool
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v2alpha1.KubernetesResource">KubernetesResource
</h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v2alpha1.GlobalContextEntrySpec">GlobalContextEntrySpec</a>)
</p>
<p>
<p>KubernetesResource stores infos about kubernetes resource that should be cached</p>
</p>
<table class="table table-striped">
<thead class="thead-dark">
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<code>group</code><br/>
<em>
string
</em>
</td>
<td>
<p>Group defines the group of the resource</p>
</td>
</tr>
<tr>
<td>
<code>version</code><br/>
<em>
string
</em>
</td>
<td>
<p>Version defines the version of the resource</p>
</td>
</tr>
<tr>
<td>
<code>resource</code><br/>
<em>
string
</em>
</td>
<td>
<p>Resource defines the type of the resource</p>
</td>
</tr>
<tr>
<td>
<code>namespace</code><br/>
<em>
string
</em>
</td>
<td>
<p>Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.</p>
</td>
</tr>
</tbody>
</table>
<hr />
<h2 id="kyverno.io/v2beta1">kyverno.io/v2beta1</h2>
Resource Types:
<ul><li>

11
pkg/client/applyconfigurations/kyverno/v1/externalapicall.go → pkg/client/applyconfigurations/kyverno/v2alpha1/externalapicall.go
View file

@ -16,17 +16,18 @@ limitations under the License.
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
package v2alpha1
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
)
// ExternalAPICallApplyConfiguration represents an declarative configuration of the ExternalAPICall type for use
// with apply.
type ExternalAPICallApplyConfiguration struct {
APICallApplyConfiguration `json:",omitempty,inline"`
RefreshIntervalSeconds *int64 `json:"refreshIntervalSeconds,omitempty"`
v1.APICallApplyConfiguration `json:",omitempty,inline"`
RefreshIntervalSeconds *int64 `json:"refreshIntervalSeconds,omitempty"`
}
// ExternalAPICallApplyConfiguration constructs an declarative configuration of the ExternalAPICall type for use with
@ -54,7 +55,7 @@ func (b *ExternalAPICallApplyConfiguration) WithMethod(value kyvernov1.Method) *
// WithData adds the given value to the Data field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Data field.
func (b *ExternalAPICallApplyConfiguration) WithData(values ...*RequestDataApplyConfiguration) *ExternalAPICallApplyConfiguration {
func (b *ExternalAPICallApplyConfiguration) WithData(values ...*v1.RequestDataApplyConfiguration) *ExternalAPICallApplyConfiguration {
for i := range values {
if values[i] == nil {
panic("nil value passed to WithData")
@ -67,7 +68,7 @@ func (b *ExternalAPICallApplyConfiguration) WithData(values ...*RequestDataApply
// WithService sets the Service field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Service field is set to the value of the last call.
func (b *ExternalAPICallApplyConfiguration) WithService(value *ServiceCallApplyConfiguration) *ExternalAPICallApplyConfiguration {
func (b *ExternalAPICallApplyConfiguration) WithService(value *v1.ServiceCallApplyConfiguration) *ExternalAPICallApplyConfiguration {
b.Service = value
return b
}

12
pkg/client/applyconfigurations/kyverno/v2alpha1/globalcontextentryspec.go
View file

@ -18,15 +18,11 @@ limitations under the License.
package v2alpha1
import (
v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
)
// GlobalContextEntrySpecApplyConfiguration represents an declarative configuration of the GlobalContextEntrySpec type for use
// with apply.
type GlobalContextEntrySpecApplyConfiguration struct {
KubernetesResource *v1.KubernetesResourceApplyConfiguration `json:"kubernetesResource,omitempty"`
APICall *v1.ExternalAPICallApplyConfiguration `json:"apiCall,omitempty"`
KubernetesResource *KubernetesResourceApplyConfiguration `json:"kubernetesResource,omitempty"`
APICall *ExternalAPICallApplyConfiguration `json:"apiCall,omitempty"`
}
// GlobalContextEntrySpecApplyConfiguration constructs an declarative configuration of the GlobalContextEntrySpec type for use with
@ -38,7 +34,7 @@ func GlobalContextEntrySpec() *GlobalContextEntrySpecApplyConfiguration {
// WithKubernetesResource sets the KubernetesResource field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the KubernetesResource field is set to the value of the last call.
func (b *GlobalContextEntrySpecApplyConfiguration) WithKubernetesResource(value *v1.KubernetesResourceApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
func (b *GlobalContextEntrySpecApplyConfiguration) WithKubernetesResource(value *KubernetesResourceApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
b.KubernetesResource = value
return b
}
@ -46,7 +42,7 @@ func (b *GlobalContextEntrySpecApplyConfiguration) WithKubernetesResource(value
// WithAPICall sets the APICall field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the APICall field is set to the value of the last call.
func (b *GlobalContextEntrySpecApplyConfiguration) WithAPICall(value *v1.ExternalAPICallApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
func (b *GlobalContextEntrySpecApplyConfiguration) WithAPICall(value *ExternalAPICallApplyConfiguration) *GlobalContextEntrySpecApplyConfiguration {
b.APICall = value
return b
}

2
pkg/client/applyconfigurations/kyverno/v1/kubernetesresource.go → pkg/client/applyconfigurations/kyverno/v2alpha1/kubernetesresource.go
View file

@ -16,7 +16,7 @@ limitations under the License.
// Code generated by applyconfiguration-gen. DO NOT EDIT.
package v1
package v2alpha1
// KubernetesResourceApplyConfiguration represents an declarative configuration of the KubernetesResource type for use
// with apply.

8
pkg/client/applyconfigurations/utils.go
View file

@ -77,8 +77,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.DenyApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("DryRunOption"):
return &kyvernov1.DryRunOptionApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ExternalAPICall"):
return &kyvernov1.ExternalAPICallApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ForEachMutation"):
return &kyvernov1.ForEachMutationApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("ForEachValidation"):
@ -95,8 +93,6 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov1.ImageVerificationApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("KeylessAttestor"):
return &kyvernov1.KeylessAttestorApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("KubernetesResource"):
return &kyvernov1.KubernetesResourceApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("Manifests"):
return &kyvernov1.ManifestsApplyConfiguration{}
case v1.SchemeGroupVersion.WithKind("MatchResources"):
@ -225,12 +221,16 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov2alpha1.CleanupPolicyApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("ClusterCleanupPolicy"):
return &kyvernov2alpha1.ClusterCleanupPolicyApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("ExternalAPICall"):
return &kyvernov2alpha1.ExternalAPICallApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("GlobalContextEntry"):
return &kyvernov2alpha1.GlobalContextEntryApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("GlobalContextEntrySpec"):
return &kyvernov2alpha1.GlobalContextEntrySpecApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("GlobalContextEntryStatus"):
return &kyvernov2alpha1.GlobalContextEntryStatusApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("KubernetesResource"):
return &kyvernov2alpha1.KubernetesResourceApplyConfiguration{}
case v2alpha1.SchemeGroupVersion.WithKind("PolicyException"):
return &kyvernov2alpha1.PolicyExceptionApplyConfiguration{}