mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
chore: rename validationFailureAction to failureAction under the rule (#10893)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
parent
ee5fdcad47
commit
2140a0239b
427 changed files with 3478 additions and 3478 deletions
|
@ -451,18 +451,18 @@ func (m *ForEachMutation) SetPatchStrategicMerge(in any) {
|
||||||
|
|
||||||
// Validation defines checks to be performed on matching resources.
|
// Validation defines checks to be performed on matching resources.
|
||||||
type Validation struct {
|
type Validation struct {
|
||||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
// FailureAction defines if a validation policy rule violation should block
|
||||||
// the admission review request (Enforce), or allow (Audit) the admission review request
|
// the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
// and report an error in a policy report. Optional.
|
// and report an error in a policy report. Optional.
|
||||||
// Allowed values are Audit or Enforce.
|
// Allowed values are Audit or Enforce.
|
||||||
// +optional
|
// +optional
|
||||||
// +kubebuilder:validation:Enum=Audit;Enforce
|
// +kubebuilder:validation:Enum=Audit;Enforce
|
||||||
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
|
||||||
|
|
||||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
// FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
// namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
// +optional
|
// +optional
|
||||||
ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
FailureActionOverrides []ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
|
||||||
|
|
||||||
// Message specifies a custom message to be displayed on failure.
|
// Message specifies a custom message to be displayed on failure.
|
||||||
// +optional
|
// +optional
|
||||||
|
|
|
@ -44,7 +44,7 @@ type ImageVerification struct {
|
||||||
// Allowed values are Audit or Enforce.
|
// Allowed values are Audit or Enforce.
|
||||||
// +optional
|
// +optional
|
||||||
// +kubebuilder:validation:Enum=Audit;Enforce
|
// +kubebuilder:validation:Enum=Audit;Enforce
|
||||||
ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
FailureAction *ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
|
||||||
|
|
||||||
// Type specifies the method of signature validation. The allowed options
|
// Type specifies the method of signature validation. The allowed options
|
||||||
// are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
// are Cosign, Sigstore Bundle and Notary. By default Cosign is used if a type is not specified.
|
||||||
|
|
|
@ -175,7 +175,7 @@ func (s *Spec) HasValidate() bool {
|
||||||
func (s *Spec) HasValidateEnforce() bool {
|
func (s *Spec) HasValidateEnforce() bool {
|
||||||
for _, rule := range s.Rules {
|
for _, rule := range s.Rules {
|
||||||
if rule.HasValidate() {
|
if rule.HasValidate() {
|
||||||
action := rule.Validation.ValidationFailureAction
|
action := rule.Validation.FailureAction
|
||||||
if action != nil && action.Enforce() {
|
if action != nil && action.Enforce() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
@ -846,8 +846,8 @@ func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
||||||
*out = *in
|
*out = *in
|
||||||
if in.ValidationFailureAction != nil {
|
if in.FailureAction != nil {
|
||||||
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
in, out := &in.FailureAction, &out.FailureAction
|
||||||
*out = new(ValidationFailureAction)
|
*out = new(ValidationFailureAction)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
|
@ -1637,13 +1637,13 @@ func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicy
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *Validation) DeepCopyInto(out *Validation) {
|
func (in *Validation) DeepCopyInto(out *Validation) {
|
||||||
*out = *in
|
*out = *in
|
||||||
if in.ValidationFailureAction != nil {
|
if in.FailureAction != nil {
|
||||||
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
in, out := &in.FailureAction, &out.FailureAction
|
||||||
*out = new(ValidationFailureAction)
|
*out = new(ValidationFailureAction)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
if in.ValidationFailureActionOverrides != nil {
|
if in.FailureActionOverrides != nil {
|
||||||
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
|
in, out := &in.FailureActionOverrides, &out.FailureActionOverrides
|
||||||
*out = make([]ValidationFailureActionOverride, len(*in))
|
*out = make([]ValidationFailureActionOverride, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
|
|
@ -11,18 +11,18 @@ type AssertionTree = kjson.Any
|
||||||
|
|
||||||
// Validation defines checks to be performed on matching resources.
|
// Validation defines checks to be performed on matching resources.
|
||||||
type Validation struct {
|
type Validation struct {
|
||||||
// ValidationFailureAction defines if a validation policy rule violation should block
|
// FailureAction defines if a validation policy rule violation should block
|
||||||
// the admission review request (Enforce), or allow (Audit) the admission review request
|
// the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
// and report an error in a policy report. Optional.
|
// and report an error in a policy report. Optional.
|
||||||
// Allowed values are Audit or Enforce.
|
// Allowed values are Audit or Enforce.
|
||||||
// +optional
|
// +optional
|
||||||
// +kubebuilder:validation:Enum=Audit;Enforce
|
// +kubebuilder:validation:Enum=Audit;Enforce
|
||||||
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
|
||||||
|
|
||||||
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
// FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
// namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
// +optional
|
// +optional
|
||||||
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
|
FailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"failureActionOverrides,omitempty" yaml:"failureActionOverrides,omitempty"`
|
||||||
|
|
||||||
// Message specifies a custom message to be displayed on failure.
|
// Message specifies a custom message to be displayed on failure.
|
||||||
// +optional
|
// +optional
|
||||||
|
|
|
@ -12,7 +12,7 @@ type ImageVerification struct {
|
||||||
// Allowed values are Audit or Enforce.
|
// Allowed values are Audit or Enforce.
|
||||||
// +optional
|
// +optional
|
||||||
// +kubebuilder:validation:Enum=Audit;Enforce
|
// +kubebuilder:validation:Enum=Audit;Enforce
|
||||||
ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
|
FailureAction *kyvernov1.ValidationFailureAction `json:"failureAction,omitempty" yaml:"failureAction,omitempty"`
|
||||||
|
|
||||||
// Type specifies the method of signature validation. The allowed options
|
// Type specifies the method of signature validation. The allowed options
|
||||||
// are Cosign and Notary. By default Cosign is used if a type is not specified.
|
// are Cosign and Notary. By default Cosign is used if a type is not specified.
|
||||||
|
|
|
@ -139,7 +139,7 @@ func (s *Spec) HasValidate() bool {
|
||||||
func (s *Spec) HasValidateEnforce() bool {
|
func (s *Spec) HasValidateEnforce() bool {
|
||||||
for _, rule := range s.Rules {
|
for _, rule := range s.Rules {
|
||||||
if rule.HasValidate() {
|
if rule.HasValidate() {
|
||||||
action := rule.Validation.ValidationFailureAction
|
action := rule.Validation.FailureAction
|
||||||
if action != nil && action.Enforce() {
|
if action != nil && action.Enforce() {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
@ -368,8 +368,8 @@ func (in *Exception) DeepCopy() *Exception {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
|
||||||
*out = *in
|
*out = *in
|
||||||
if in.ValidationFailureAction != nil {
|
if in.FailureAction != nil {
|
||||||
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
in, out := &in.FailureAction, &out.FailureAction
|
||||||
*out = new(v1.ValidationFailureAction)
|
*out = new(v1.ValidationFailureAction)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
|
@ -833,13 +833,13 @@ func (in *Spec) DeepCopy() *Spec {
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *Validation) DeepCopyInto(out *Validation) {
|
func (in *Validation) DeepCopyInto(out *Validation) {
|
||||||
*out = *in
|
*out = *in
|
||||||
if in.ValidationFailureAction != nil {
|
if in.FailureAction != nil {
|
||||||
in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
|
in, out := &in.FailureAction, &out.FailureAction
|
||||||
*out = new(v1.ValidationFailureAction)
|
*out = new(v1.ValidationFailureAction)
|
||||||
**out = **in
|
**out = **in
|
||||||
}
|
}
|
||||||
if in.ValidationFailureActionOverrides != nil {
|
if in.FailureActionOverrides != nil {
|
||||||
in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
|
in, out := &in.FailureActionOverrides, &out.FailureActionOverrides
|
||||||
*out = make([]v1.ValidationFailureActionOverride, len(*in))
|
*out = make([]v1.ValidationFailureActionOverride, len(*in))
|
||||||
for i := range *in {
|
for i := range *in {
|
||||||
(*in)[i].DeepCopyInto(&(*out)[i])
|
(*in)[i].DeepCopyInto(&(*out)[i])
|
||||||
|
|
|
@ -3099,6 +3099,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -3842,87 +3923,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4611,6 +4611,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -4707,12 +4713,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -7902,6 +7902,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -8657,87 +8738,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9440,6 +9440,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -9537,12 +9543,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
@ -12523,6 +12523,87 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -13266,87 +13347,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -14019,6 +14019,12 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
imageReferences:
|
imageReferences:
|
||||||
description: |-
|
description: |-
|
||||||
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||||
|
@ -14100,12 +14106,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule
|
responses for this rule
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -17295,6 +17295,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -18050,87 +18131,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -18833,6 +18833,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -18930,12 +18936,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
|
|
@ -3100,6 +3100,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -3843,87 +3924,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4612,6 +4612,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -4708,12 +4714,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -7904,6 +7904,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -8659,87 +8740,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9442,6 +9442,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -9539,12 +9545,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
@ -12526,6 +12526,87 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -13269,87 +13350,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -14022,6 +14022,12 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
imageReferences:
|
imageReferences:
|
||||||
description: |-
|
description: |-
|
||||||
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||||
|
@ -14103,12 +14109,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule
|
responses for this rule
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -17298,6 +17298,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -18053,87 +18134,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -18836,6 +18836,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -18933,12 +18939,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
|
|
@ -34,7 +34,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Namespace
|
- Namespace
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: "You must have label 'purpose' with value 'production' set on all new namespaces."
|
message: "You must have label 'purpose' with value 'production' set on all new namespaces."
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-account
|
name: pods-require-account
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: User pods must include an account for charging
|
message: User pods must include an account for charging
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -31,7 +31,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-limits
|
name: pods-require-limits
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: CPU and memory resource requests and limits are required for user pods
|
message: CPU and memory resource requests and limits are required for user pods
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-account
|
name: pods-require-account
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: User pods must include an account for charging
|
message: User pods must include an account for charging
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -31,7 +31,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-limits
|
name: pods-require-limits
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: CPU and memory resource requests and limits are required for user pods
|
message: CPU and memory resource requests and limits are required for user pods
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -32,4 +32,4 @@ spec:
|
||||||
required: true
|
required: true
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: true
|
verifyDigest: true
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -56,4 +56,4 @@ spec:
|
||||||
- CREATE
|
- CREATE
|
||||||
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
|
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
|
||||||
resource is protected. Admin or allowed users can change the resource'
|
resource is protected. Admin or allowed users can change the resource'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-account
|
name: pods-require-account
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: User pods must include an account for charging
|
message: User pods must include an account for charging
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -42,4 +42,4 @@ spec:
|
||||||
requests:
|
requests:
|
||||||
cpu: ?*
|
cpu: ?*
|
||||||
memory: ?*
|
memory: ?*
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -30,7 +30,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: audit
|
failureAction: audit
|
||||||
message: CPU and memory resource requests and limits are required for user pods
|
message: CPU and memory resource requests and limits are required for user pods
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-account
|
name: pods-require-account
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: User pods must include an account for charging
|
message: User pods must include an account for charging
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
@ -32,7 +32,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: pods-require-limits
|
name: pods-require-limits
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: CPU and memory resource requests and limits are required for user pods
|
message: CPU and memory resource requests and limits are required for user pods
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -20,4 +20,4 @@ spec:
|
||||||
podSecurity:
|
podSecurity:
|
||||||
level: restricted
|
level: restricted
|
||||||
version: latest
|
version: latest
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -3093,6 +3093,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -3836,87 +3917,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4605,6 +4605,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -4701,12 +4707,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -7896,6 +7896,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -8651,87 +8732,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9434,6 +9434,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -9531,12 +9537,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
@ -12517,6 +12517,87 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -13260,87 +13341,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -14013,6 +14013,12 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
imageReferences:
|
imageReferences:
|
||||||
description: |-
|
description: |-
|
||||||
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||||
|
@ -14094,12 +14100,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule
|
responses for this rule
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -17289,6 +17289,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -18044,87 +18125,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -18827,6 +18827,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -18924,12 +18930,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
|
|
@ -3094,6 +3094,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -3837,87 +3918,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4606,6 +4606,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -4702,12 +4708,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -7898,6 +7898,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -8653,87 +8734,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9436,6 +9436,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -9533,12 +9539,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
@ -12520,6 +12520,87 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -13263,87 +13344,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -14016,6 +14016,12 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
imageReferences:
|
imageReferences:
|
||||||
description: |-
|
description: |-
|
||||||
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||||
|
@ -14097,12 +14103,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule
|
responses for this rule
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -17292,6 +17292,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -18047,87 +18128,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -18830,6 +18830,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -18927,12 +18933,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
|
|
@ -3093,6 +3093,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -3836,87 +3917,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4605,6 +4605,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -4701,12 +4707,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -7896,6 +7896,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -8651,87 +8732,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9434,6 +9434,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -9531,12 +9537,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
@ -12517,6 +12517,87 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -13260,87 +13341,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -14013,6 +14013,12 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
imageReferences:
|
imageReferences:
|
||||||
description: |-
|
description: |-
|
||||||
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||||
|
@ -14094,12 +14100,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule
|
responses for this rule
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -17289,6 +17289,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -18044,87 +18125,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -18827,6 +18827,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -18924,12 +18930,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
|
|
@ -3094,6 +3094,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -3837,87 +3918,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -4606,6 +4606,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -4702,12 +4708,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -7898,6 +7898,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -8653,87 +8734,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -9436,6 +9436,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -9533,12 +9539,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
@ -12520,6 +12520,87 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the policy
|
||||||
|
validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of label
|
||||||
|
selector requirements. The requirements are
|
||||||
|
ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that the
|
||||||
|
selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list of
|
description: ForEach applies validate rules to a list of
|
||||||
sub-elements by creating a context for each entry in the
|
sub-elements by creating a context for each entry in the
|
||||||
|
@ -13263,87 +13344,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the policy
|
|
||||||
validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label
|
|
||||||
selector requirements. The requirements are
|
|
||||||
ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the
|
|
||||||
selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -14016,6 +14016,12 @@ spec:
|
||||||
type: array
|
type: array
|
||||||
type: object
|
type: object
|
||||||
type: array
|
type: array
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
imageReferences:
|
imageReferences:
|
||||||
description: |-
|
description: |-
|
||||||
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
ImageReferences is a list of matching image reference patterns. At least one pattern in the
|
||||||
|
@ -14097,12 +14103,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule
|
responses for this rule
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have a
|
description: VerifyDigest validates that images have a
|
||||||
|
@ -17292,6 +17292,87 @@ spec:
|
||||||
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
|
||||||
x-kubernetes-preserve-unknown-fields: true
|
x-kubernetes-preserve-unknown-fields: true
|
||||||
type: object
|
type: object
|
||||||
|
failureAction:
|
||||||
|
description: |-
|
||||||
|
FailureAction defines if a validation policy rule violation should block
|
||||||
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
|
and report an error in a policy report. Optional.
|
||||||
|
Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
failureActionOverrides:
|
||||||
|
description: |-
|
||||||
|
FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
|
namespace-wise. It overrides FailureAction for the specified namespaces.
|
||||||
|
items:
|
||||||
|
properties:
|
||||||
|
action:
|
||||||
|
description: ValidationFailureAction defines the
|
||||||
|
policy validation failure action
|
||||||
|
enum:
|
||||||
|
- audit
|
||||||
|
- enforce
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
|
namespaceSelector:
|
||||||
|
description: |-
|
||||||
|
A label selector is a label query over a set of resources. The result of matchLabels and
|
||||||
|
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
||||||
|
label selector matches no objects.
|
||||||
|
properties:
|
||||||
|
matchExpressions:
|
||||||
|
description: matchExpressions is a list of
|
||||||
|
label selector requirements. The requirements
|
||||||
|
are ANDed.
|
||||||
|
items:
|
||||||
|
description: |-
|
||||||
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
||||||
|
relates the key and values.
|
||||||
|
properties:
|
||||||
|
key:
|
||||||
|
description: key is the label key that
|
||||||
|
the selector applies to.
|
||||||
|
type: string
|
||||||
|
operator:
|
||||||
|
description: |-
|
||||||
|
operator represents a key's relationship to a set of values.
|
||||||
|
Valid operators are In, NotIn, Exists and DoesNotExist.
|
||||||
|
type: string
|
||||||
|
values:
|
||||||
|
description: |-
|
||||||
|
values is an array of string values. If the operator is In or NotIn,
|
||||||
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
||||||
|
the values array must be empty. This array is replaced during a strategic
|
||||||
|
merge patch.
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
required:
|
||||||
|
- key
|
||||||
|
- operator
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
|
x-kubernetes-list-type: atomic
|
||||||
|
matchLabels:
|
||||||
|
additionalProperties:
|
||||||
|
type: string
|
||||||
|
description: |-
|
||||||
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
||||||
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
||||||
|
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
||||||
|
type: object
|
||||||
|
type: object
|
||||||
|
x-kubernetes-map-type: atomic
|
||||||
|
namespaces:
|
||||||
|
items:
|
||||||
|
type: string
|
||||||
|
type: array
|
||||||
|
type: object
|
||||||
|
type: array
|
||||||
foreach:
|
foreach:
|
||||||
description: ForEach applies validate rules to a list
|
description: ForEach applies validate rules to a list
|
||||||
of sub-elements by creating a context for each entry
|
of sub-elements by creating a context for each entry
|
||||||
|
@ -18047,87 +18128,6 @@ spec:
|
||||||
- latest
|
- latest
|
||||||
type: string
|
type: string
|
||||||
type: object
|
type: object
|
||||||
validationFailureAction:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureAction defines if a validation policy rule violation should block
|
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
|
||||||
and report an error in a policy report. Optional.
|
|
||||||
Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
validationFailureActionOverrides:
|
|
||||||
description: |-
|
|
||||||
ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
|
|
||||||
items:
|
|
||||||
properties:
|
|
||||||
action:
|
|
||||||
description: ValidationFailureAction defines the
|
|
||||||
policy validation failure action
|
|
||||||
enum:
|
|
||||||
- audit
|
|
||||||
- enforce
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
namespaceSelector:
|
|
||||||
description: |-
|
|
||||||
A label selector is a label query over a set of resources. The result of matchLabels and
|
|
||||||
matchExpressions are ANDed. An empty label selector matches all objects. A null
|
|
||||||
label selector matches no objects.
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of
|
|
||||||
label selector requirements. The requirements
|
|
||||||
are ANDed.
|
|
||||||
items:
|
|
||||||
description: |-
|
|
||||||
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
||||||
relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that
|
|
||||||
the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: |-
|
|
||||||
operator represents a key's relationship to a set of values.
|
|
||||||
Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: |-
|
|
||||||
values is an array of string values. If the operator is In or NotIn,
|
|
||||||
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
||||||
the values array must be empty. This array is replaced during a strategic
|
|
||||||
merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
x-kubernetes-list-type: atomic
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: |-
|
|
||||||
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
||||||
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
||||||
operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
x-kubernetes-map-type: atomic
|
|
||||||
namespaces:
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
type: object
|
type: object
|
||||||
verifyImages:
|
verifyImages:
|
||||||
description: VerifyImages is used to verify image signatures
|
description: VerifyImages is used to verify image signatures
|
||||||
|
@ -18830,6 +18830,12 @@ spec:
|
||||||
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
|
||||||
Defaults to false.
|
Defaults to false.
|
||||||
type: boolean
|
type: boolean
|
||||||
|
failureAction:
|
||||||
|
description: Allowed values are Audit or Enforce.
|
||||||
|
enum:
|
||||||
|
- Audit
|
||||||
|
- Enforce
|
||||||
|
type: string
|
||||||
image:
|
image:
|
||||||
description: Deprecated. Use ImageReferences instead.
|
description: Deprecated. Use ImageReferences instead.
|
||||||
type: string
|
type: string
|
||||||
|
@ -18927,12 +18933,6 @@ spec:
|
||||||
description: UseCache enables caching of image verify
|
description: UseCache enables caching of image verify
|
||||||
responses for this rule.
|
responses for this rule.
|
||||||
type: boolean
|
type: boolean
|
||||||
validationFailureAction:
|
|
||||||
description: Allowed values are Audit or Enforce.
|
|
||||||
enum:
|
|
||||||
- Audit
|
|
||||||
- Enforce
|
|
||||||
type: string
|
|
||||||
verifyDigest:
|
verifyDigest:
|
||||||
default: true
|
default: true
|
||||||
description: VerifyDigest validates that images have
|
description: VerifyDigest validates that images have
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -2509,7 +2509,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<code>validationFailureAction</code><br/>
|
<code>failureAction</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v1.ValidationFailureAction">
|
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||||
ValidationFailureAction
|
ValidationFailureAction
|
||||||
|
@ -4619,7 +4619,7 @@ It is an empty string when validating admission policy is successfully generated
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<code>validationFailureAction</code><br/>
|
<code>failureAction</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v1.ValidationFailureAction">
|
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||||
ValidationFailureAction
|
ValidationFailureAction
|
||||||
|
@ -4628,7 +4628,7 @@ ValidationFailureAction
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<em>(Optional)</em>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>FailureAction defines if a validation policy rule violation should block
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
and report an error in a policy report. Optional.
|
and report an error in a policy report. Optional.
|
||||||
Allowed values are Audit or Enforce.</p>
|
Allowed values are Audit or Enforce.</p>
|
||||||
|
@ -4636,7 +4636,7 @@ Allowed values are Audit or Enforce.</p>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<code>validationFailureActionOverrides</code><br/>
|
<code>failureActionOverrides</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
||||||
[]ValidationFailureActionOverride
|
[]ValidationFailureActionOverride
|
||||||
|
@ -4645,8 +4645,8 @@ Allowed values are Audit or Enforce.</p>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<em>(Optional)</em>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
namespace-wise. It overrides FailureAction for the specified namespaces.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
@ -8640,7 +8640,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<code>validationFailureAction</code><br/>
|
<code>failureAction</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v1.ValidationFailureAction">
|
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||||
ValidationFailureAction
|
ValidationFailureAction
|
||||||
|
@ -9523,7 +9523,7 @@ WebhookConfiguration
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<code>validationFailureAction</code><br/>
|
<code>failureAction</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v1.ValidationFailureAction">
|
<a href="#kyverno.io/v1.ValidationFailureAction">
|
||||||
ValidationFailureAction
|
ValidationFailureAction
|
||||||
|
@ -9532,7 +9532,7 @@ ValidationFailureAction
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<em>(Optional)</em>
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>FailureAction defines if a validation policy rule violation should block
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
and report an error in a policy report. Optional.
|
and report an error in a policy report. Optional.
|
||||||
Allowed values are Audit or Enforce.</p>
|
Allowed values are Audit or Enforce.</p>
|
||||||
|
@ -9540,7 +9540,7 @@ Allowed values are Audit or Enforce.</p>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<code>validationFailureActionOverrides</code><br/>
|
<code>failureActionOverrides</code><br/>
|
||||||
<em>
|
<em>
|
||||||
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
<a href="#kyverno.io/v1.ValidationFailureActionOverride">
|
||||||
[]ValidationFailureActionOverride
|
[]ValidationFailureActionOverride
|
||||||
|
@ -9549,8 +9549,8 @@ Allowed values are Audit or Enforce.</p>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<em>(Optional)</em>
|
<em>(Optional)</em>
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
namespace-wise. It overrides FailureAction for the specified namespaces.</p>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
|
|
|
@ -4945,7 +4945,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>failureAction</code>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
@ -9285,7 +9285,7 @@ It is an empty string when validating admission policy is successfully generated
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>failureAction</code>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
@ -9301,7 +9301,7 @@ It is an empty string when validating admission policy is successfully generated
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>FailureAction defines if a validation policy rule violation should block
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
and report an error in a policy report. Optional.
|
and report an error in a policy report. Optional.
|
||||||
Allowed values are Audit or Enforce.</p>
|
Allowed values are Audit or Enforce.</p>
|
||||||
|
@ -9317,7 +9317,7 @@ Allowed values are Audit or Enforce.</p>
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>failureActionOverrides</code>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
@ -9333,8 +9333,8 @@ Allowed values are Audit or Enforce.</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
namespace-wise. It overrides FailureAction for the specified namespaces.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -2774,7 +2774,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>failureAction</code>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
@ -4550,7 +4550,7 @@ Defaults to "false" if not specified.</p>
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureAction</code>
|
<td><code>failureAction</code>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
@ -4566,7 +4566,7 @@ Defaults to "false" if not specified.</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureAction defines if a validation policy rule violation should block
|
<p>FailureAction defines if a validation policy rule violation should block
|
||||||
the admission review request (Enforce), or allow (Audit) the admission review request
|
the admission review request (Enforce), or allow (Audit) the admission review request
|
||||||
and report an error in a policy report. Optional.
|
and report an error in a policy report. Optional.
|
||||||
Allowed values are Audit or Enforce.</p>
|
Allowed values are Audit or Enforce.</p>
|
||||||
|
@ -4582,7 +4582,7 @@ Allowed values are Audit or Enforce.</p>
|
||||||
|
|
||||||
|
|
||||||
<tr>
|
<tr>
|
||||||
<td><code>validationFailureActionOverrides</code>
|
<td><code>failureActionOverrides</code>
|
||||||
|
|
||||||
</br>
|
</br>
|
||||||
|
|
||||||
|
@ -4598,8 +4598,8 @@ Allowed values are Audit or Enforce.</p>
|
||||||
<td>
|
<td>
|
||||||
|
|
||||||
|
|
||||||
<p>ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
|
<p>FailureActionOverrides is a Cluster Policy attribute that specifies FailureAction
|
||||||
namespace-wise. It overrides ValidationFailureAction for the specified namespaces.</p>
|
namespace-wise. It overrides FailureAction for the specified namespaces.</p>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -242,7 +242,7 @@ func Test_GetSupportedControllers(t *testing.T) {
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "rule-with-validate-podsecurity",
|
name: "rule-with-validate-podsecurity",
|
||||||
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
|
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
|
||||||
expectedControllers: PodControllers,
|
expectedControllers: PodControllers,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -539,7 +539,7 @@ kA==
|
||||||
}
|
}
|
||||||
|
|
||||||
func Test_PodSecurityWithNoExceptions(t *testing.T) {
|
func Test_PodSecurityWithNoExceptions(t *testing.T) {
|
||||||
policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"validationFailureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
|
policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"failureAction":"enforce","podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
|
||||||
policies, _, _, err := yamlutils.GetPolicy([]byte(policy))
|
policies, _, _, err := yamlutils.GetPolicy([]byte(policy))
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
assert.Equal(t, 1, len(policies))
|
assert.Equal(t, 1, len(policies))
|
||||||
|
@ -573,7 +573,7 @@ func Test_ValidateWithCELExpressions(t *testing.T) {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "Enforce",
|
"failureAction": "Enforce",
|
||||||
"cel": {
|
"cel": {
|
||||||
"expressions": [
|
"expressions": [
|
||||||
{
|
{
|
||||||
|
|
|
@ -129,9 +129,9 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
|
||||||
}
|
}
|
||||||
if target := rule.Validation.GetPattern(); target != nil {
|
if target := rule.Validation.GetPattern(); target != nil {
|
||||||
newValidate := kyvernov1.Validation{
|
newValidate := kyvernov1.Validation{
|
||||||
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
|
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
|
||||||
ValidationFailureAction: rule.Validation.ValidationFailureAction,
|
FailureAction: rule.Validation.FailureAction,
|
||||||
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides,
|
FailureActionOverrides: rule.Validation.FailureActionOverrides,
|
||||||
}
|
}
|
||||||
newValidate.SetPattern(
|
newValidate.SetPattern(
|
||||||
map[string]interface{}{
|
map[string]interface{}{
|
||||||
|
@ -145,10 +145,10 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
|
||||||
}
|
}
|
||||||
if rule.Validation.Deny != nil {
|
if rule.Validation.Deny != nil {
|
||||||
deny := kyvernov1.Validation{
|
deny := kyvernov1.Validation{
|
||||||
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"),
|
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "deny"),
|
||||||
Deny: rule.Validation.Deny,
|
Deny: rule.Validation.Deny,
|
||||||
ValidationFailureAction: rule.Validation.ValidationFailureAction,
|
FailureAction: rule.Validation.FailureAction,
|
||||||
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides,
|
FailureActionOverrides: rule.Validation.FailureActionOverrides,
|
||||||
}
|
}
|
||||||
rule.Validation = deny
|
rule.Validation = deny
|
||||||
return rule
|
return rule
|
||||||
|
@ -163,8 +163,8 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
|
||||||
Version: rule.Validation.PodSecurity.Version,
|
Version: rule.Validation.PodSecurity.Version,
|
||||||
Exclude: newExclude,
|
Exclude: newExclude,
|
||||||
},
|
},
|
||||||
ValidationFailureAction: rule.Validation.ValidationFailureAction,
|
FailureAction: rule.Validation.FailureAction,
|
||||||
ValidationFailureActionOverrides: rule.Validation.ValidationFailureActionOverrides,
|
FailureActionOverrides: rule.Validation.FailureActionOverrides,
|
||||||
}
|
}
|
||||||
rule.Validation = podSecurity
|
rule.Validation = podSecurity
|
||||||
return rule
|
return rule
|
||||||
|
@ -183,12 +183,12 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
|
||||||
}
|
}
|
||||||
patterns = append(patterns, newPattern)
|
patterns = append(patterns, newPattern)
|
||||||
}
|
}
|
||||||
validationFailureAction := rule.Validation.ValidationFailureAction
|
failureAction := rule.Validation.FailureAction
|
||||||
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
failureActionOverrides := rule.Validation.FailureActionOverrides
|
||||||
rule.Validation = kyvernov1.Validation{
|
rule.Validation = kyvernov1.Validation{
|
||||||
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"),
|
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "anyPattern"),
|
||||||
ValidationFailureAction: validationFailureAction,
|
FailureAction: failureAction,
|
||||||
ValidationFailureActionOverrides: validationFailureActionOverrides,
|
FailureActionOverrides: failureActionOverrides,
|
||||||
}
|
}
|
||||||
rule.Validation.SetAnyPattern(patterns)
|
rule.Validation.SetAnyPattern(patterns)
|
||||||
return rule
|
return rule
|
||||||
|
@ -196,13 +196,13 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
|
||||||
if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil {
|
if len(rule.Validation.ForEachValidation) > 0 && rule.Validation.ForEachValidation != nil {
|
||||||
newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation))
|
newForeachValidate := make([]kyvernov1.ForEachValidation, len(rule.Validation.ForEachValidation))
|
||||||
copy(newForeachValidate, rule.Validation.ForEachValidation)
|
copy(newForeachValidate, rule.Validation.ForEachValidation)
|
||||||
validationFailureAction := rule.Validation.ValidationFailureAction
|
failureAction := rule.Validation.FailureAction
|
||||||
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
failureActionOverrides := rule.Validation.FailureActionOverrides
|
||||||
rule.Validation = kyvernov1.Validation{
|
rule.Validation = kyvernov1.Validation{
|
||||||
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
|
Message: variables.FindAndShiftReferences(logger, rule.Validation.Message, shift, "pattern"),
|
||||||
ForEachValidation: newForeachValidate,
|
ForEachValidation: newForeachValidate,
|
||||||
ValidationFailureAction: validationFailureAction,
|
FailureAction: failureAction,
|
||||||
ValidationFailureActionOverrides: validationFailureActionOverrides,
|
FailureActionOverrides: failureActionOverrides,
|
||||||
}
|
}
|
||||||
return rule
|
return rule
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,7 +25,7 @@ import (
|
||||||
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
|
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
|
||||||
// with apply.
|
// with apply.
|
||||||
type ImageVerificationApplyConfiguration struct {
|
type ImageVerificationApplyConfiguration struct {
|
||||||
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
|
||||||
Type *v1.ImageVerificationType `json:"type,omitempty"`
|
Type *v1.ImageVerificationType `json:"type,omitempty"`
|
||||||
Image *string `json:"image,omitempty"`
|
Image *string `json:"image,omitempty"`
|
||||||
ImageReferences []string `json:"imageReferences,omitempty"`
|
ImageReferences []string `json:"imageReferences,omitempty"`
|
||||||
|
@ -53,11 +53,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration {
|
||||||
return &ImageVerificationApplyConfiguration{}
|
return &ImageVerificationApplyConfiguration{}
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
// If called multiple times, the FailureAction field is set to the value of the last call.
|
||||||
func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
|
func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
|
||||||
b.ValidationFailureAction = &value
|
b.FailureAction = &value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -27,17 +27,17 @@ import (
|
||||||
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
||||||
// with apply.
|
// with apply.
|
||||||
type ValidationApplyConfiguration struct {
|
type ValidationApplyConfiguration struct {
|
||||||
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
|
||||||
ValidationFailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
|
FailureActionOverrides []ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"`
|
||||||
Message *string `json:"message,omitempty"`
|
Message *string `json:"message,omitempty"`
|
||||||
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||||
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||||
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"`
|
||||||
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"`
|
||||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||||
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||||
CEL *CELApplyConfiguration `json:"cel,omitempty"`
|
CEL *CELApplyConfiguration `json:"cel,omitempty"`
|
||||||
Assert *v1alpha1.Any `json:"assert,omitempty"`
|
Assert *v1alpha1.Any `json:"assert,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
||||||
|
@ -46,23 +46,23 @@ func Validation() *ValidationApplyConfiguration {
|
||||||
return &ValidationApplyConfiguration{}
|
return &ValidationApplyConfiguration{}
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
// If called multiple times, the FailureAction field is set to the value of the last call.
|
||||||
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
||||||
b.ValidationFailureAction = &value
|
b.FailureAction = &value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
|
// WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration
|
||||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
|
// If called multiple times, values provided by each call will be appended to the FailureActionOverrides field.
|
||||||
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
for i := range values {
|
for i := range values {
|
||||||
if values[i] == nil {
|
if values[i] == nil {
|
||||||
panic("nil value passed to WithValidationFailureActionOverrides")
|
panic("nil value passed to WithFailureActionOverrides")
|
||||||
}
|
}
|
||||||
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
|
b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i])
|
||||||
}
|
}
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,7 +26,7 @@ import (
|
||||||
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
|
// ImageVerificationApplyConfiguration represents an declarative configuration of the ImageVerification type for use
|
||||||
// with apply.
|
// with apply.
|
||||||
type ImageVerificationApplyConfiguration struct {
|
type ImageVerificationApplyConfiguration struct {
|
||||||
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
|
||||||
Type *v1.ImageVerificationType `json:"type,omitempty"`
|
Type *v1.ImageVerificationType `json:"type,omitempty"`
|
||||||
ImageReferences []string `json:"imageReferences,omitempty"`
|
ImageReferences []string `json:"imageReferences,omitempty"`
|
||||||
SkipImageReferences []string `json:"skipImageReferences,omitempty"`
|
SkipImageReferences []string `json:"skipImageReferences,omitempty"`
|
||||||
|
@ -46,11 +46,11 @@ func ImageVerification() *ImageVerificationApplyConfiguration {
|
||||||
return &ImageVerificationApplyConfiguration{}
|
return &ImageVerificationApplyConfiguration{}
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
// If called multiple times, the FailureAction field is set to the value of the last call.
|
||||||
func (b *ImageVerificationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
|
func (b *ImageVerificationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ImageVerificationApplyConfiguration {
|
||||||
b.ValidationFailureAction = &value
|
b.FailureAction = &value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -28,17 +28,17 @@ import (
|
||||||
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
// ValidationApplyConfiguration represents an declarative configuration of the Validation type for use
|
||||||
// with apply.
|
// with apply.
|
||||||
type ValidationApplyConfiguration struct {
|
type ValidationApplyConfiguration struct {
|
||||||
ValidationFailureAction *v1.ValidationFailureAction `json:"validationFailureAction,omitempty"`
|
FailureAction *v1.ValidationFailureAction `json:"failureAction,omitempty"`
|
||||||
ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"validationFailureActionOverrides,omitempty"`
|
FailureActionOverrides []kyvernov1.ValidationFailureActionOverrideApplyConfiguration `json:"failureActionOverrides,omitempty"`
|
||||||
Message *string `json:"message,omitempty"`
|
Message *string `json:"message,omitempty"`
|
||||||
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
Manifests *kyvernov1.ManifestsApplyConfiguration `json:"manifests,omitempty"`
|
||||||
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
ForEachValidation []kyvernov1.ForEachValidationApplyConfiguration `json:"foreach,omitempty"`
|
||||||
RawPattern *kyverno.Any `json:"pattern,omitempty"`
|
RawPattern *kyverno.Any `json:"pattern,omitempty"`
|
||||||
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"`
|
RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty"`
|
||||||
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
Deny *DenyApplyConfiguration `json:"deny,omitempty"`
|
||||||
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
PodSecurity *kyvernov1.PodSecurityApplyConfiguration `json:"podSecurity,omitempty"`
|
||||||
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
|
CEL *kyvernov1.CELApplyConfiguration `json:"cel,omitempty"`
|
||||||
Assert *v1alpha1.Any `json:"assert,omitempty"`
|
Assert *v1alpha1.Any `json:"assert,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
// ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with
|
||||||
|
@ -47,23 +47,23 @@ func Validation() *ValidationApplyConfiguration {
|
||||||
return &ValidationApplyConfiguration{}
|
return &ValidationApplyConfiguration{}
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithValidationFailureAction sets the ValidationFailureAction field in the declarative configuration to the given value
|
// WithFailureAction sets the FailureAction field in the declarative configuration to the given value
|
||||||
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
|
||||||
// If called multiple times, the ValidationFailureAction field is set to the value of the last call.
|
// If called multiple times, the FailureAction field is set to the value of the last call.
|
||||||
func (b *ValidationApplyConfiguration) WithValidationFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithFailureAction(value v1.ValidationFailureAction) *ValidationApplyConfiguration {
|
||||||
b.ValidationFailureAction = &value
|
b.FailureAction = &value
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
||||||
// WithValidationFailureActionOverrides adds the given value to the ValidationFailureActionOverrides field in the declarative configuration
|
// WithFailureActionOverrides adds the given value to the FailureActionOverrides field in the declarative configuration
|
||||||
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
|
||||||
// If called multiple times, values provided by each call will be appended to the ValidationFailureActionOverrides field.
|
// If called multiple times, values provided by each call will be appended to the FailureActionOverrides field.
|
||||||
func (b *ValidationApplyConfiguration) WithValidationFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
func (b *ValidationApplyConfiguration) WithFailureActionOverrides(values ...*kyvernov1.ValidationFailureActionOverrideApplyConfiguration) *ValidationApplyConfiguration {
|
||||||
for i := range values {
|
for i := range values {
|
||||||
if values[i] == nil {
|
if values[i] == nil {
|
||||||
panic("nil value passed to WithValidationFailureActionOverrides")
|
panic("nil value passed to WithFailureActionOverrides")
|
||||||
}
|
}
|
||||||
b.ValidationFailureActionOverrides = append(b.ValidationFailureActionOverrides, *values[i])
|
b.FailureActionOverrides = append(b.FailureActionOverrides, *values[i])
|
||||||
}
|
}
|
||||||
return b
|
return b
|
||||||
}
|
}
|
||||||
|
|
|
@ -201,7 +201,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
|
||||||
spec := pol.AsKyvernoPolicy().GetSpec()
|
spec := pol.AsKyvernoPolicy().GetSpec()
|
||||||
for _, r := range spec.Rules {
|
for _, r := range spec.Rules {
|
||||||
if r.HasValidate() {
|
if r.HasValidate() {
|
||||||
for _, v := range r.Validation.ValidationFailureActionOverrides {
|
for _, v := range r.Validation.FailureActionOverrides {
|
||||||
if !v.Action.IsValid() {
|
if !v.Action.IsValid() {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -224,12 +224,12 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if r.Validation.ValidationFailureAction != nil {
|
if r.Validation.FailureAction != nil {
|
||||||
return *r.Validation.ValidationFailureAction
|
return *r.Validation.FailureAction
|
||||||
}
|
}
|
||||||
} else if r.HasVerifyImages() {
|
} else if r.HasVerifyImages() {
|
||||||
if r.VerifyImages[0].ValidationFailureAction != nil {
|
if r.VerifyImages[0].FailureAction != nil {
|
||||||
return *r.VerifyImages[0].ValidationFailureAction
|
return *r.VerifyImages[0].FailureAction
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -717,7 +717,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &audit,
|
FailureAction: &audit,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -732,7 +732,7 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -773,8 +773,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"*"},
|
Namespaces: []string{"*"},
|
||||||
}},
|
}},
|
||||||
|
@ -792,8 +792,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: "invalid",
|
Action: "invalid",
|
||||||
Namespaces: []string{"*"},
|
Namespaces: []string{"*"},
|
||||||
}},
|
}},
|
||||||
|
@ -970,8 +970,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"foo"},
|
Namespaces: []string{"foo"},
|
||||||
}},
|
}},
|
||||||
|
@ -990,8 +990,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"bar"},
|
Namespaces: []string{"bar"},
|
||||||
}},
|
}},
|
||||||
|
@ -1013,8 +1013,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
NamespaceSelector: &metav1.LabelSelector{
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
|
@ -1040,8 +1040,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
NamespaceSelector: &metav1.LabelSelector{
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
MatchLabels: map[string]string{
|
MatchLabels: map[string]string{
|
||||||
|
@ -1067,8 +1067,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"foo"},
|
Namespaces: []string{"foo"},
|
||||||
NamespaceSelector: &metav1.LabelSelector{
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
@ -1095,8 +1095,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"bar"},
|
Namespaces: []string{"bar"},
|
||||||
NamespaceSelector: &metav1.LabelSelector{
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
@ -1123,8 +1123,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"foo"},
|
Namespaces: []string{"foo"},
|
||||||
NamespaceSelector: &metav1.LabelSelector{
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
@ -1151,8 +1151,8 @@ func TestEngineResponse_GetValidationFailureAction(t *testing.T) {
|
||||||
Rules: []kyvernov1.Rule{
|
Rules: []kyvernov1.Rule{
|
||||||
{
|
{
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
ValidationFailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
FailureActionOverrides: []kyvernov1.ValidationFailureActionOverride{{
|
||||||
Action: kyvernov1.Audit,
|
Action: kyvernov1.Audit,
|
||||||
Namespaces: []string{"*"},
|
Namespaces: []string{"*"},
|
||||||
NamespaceSelector: &metav1.LabelSelector{
|
NamespaceSelector: &metav1.LabelSelector{
|
||||||
|
|
|
@ -60,7 +60,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "Enforce",
|
"failureAction": "Enforce",
|
||||||
"message": "The label size is required",
|
"message": "The label size is required",
|
||||||
"pattern": {
|
"pattern": {
|
||||||
"metadata": {
|
"metadata": {
|
||||||
|
@ -88,7 +88,7 @@ func buildTestNamespaceLabelsContext(t *testing.T) api.PolicyContext {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "Enforce",
|
"failureAction": "Enforce",
|
||||||
"message": "The label size cannot be changed for a namespace",
|
"message": "The label size cannot be changed for a namespace",
|
||||||
"deny": {
|
"deny": {
|
||||||
"conditions": {
|
"conditions": {
|
||||||
|
|
|
@ -846,7 +846,7 @@ func TestMatchesResourceDescription(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": {"rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
||||||
areErrorsExpected: false,
|
areErrorsExpected: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -873,7 +873,7 @@ func TestMatchesResourceDescription(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
|
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
|
||||||
areErrorsExpected: true,
|
areErrorsExpected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -882,7 +882,7 @@ func TestMatchesResourceDescription(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
||||||
areErrorsExpected: true,
|
areErrorsExpected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1742,7 +1742,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
|
Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
|
||||||
areErrorsExpected: false,
|
areErrorsExpected: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1751,7 +1751,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
||||||
areErrorsExpected: false,
|
areErrorsExpected: false,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1769,7 +1769,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
|
Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "generateName": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "validationFailureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "failureAction": "enforce", "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
|
||||||
areErrorsExpected: true,
|
areErrorsExpected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1778,7 +1778,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
|
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "generateName": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "validationFailureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "failureAction": "enforce", "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
|
||||||
areErrorsExpected: true,
|
areErrorsExpected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1787,7 +1787,7 @@ func TestMatchesResourceDescription_GenerateName(t *testing.T) {
|
||||||
ClusterRoles: []string{"admin"},
|
ClusterRoles: []string{"admin"},
|
||||||
},
|
},
|
||||||
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "generateName": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
|
||||||
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "validationFailureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "pod" ] } }, "validate": { "failureAction": "enforce", "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
|
||||||
areErrorsExpected: true,
|
areErrorsExpected: true,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -689,7 +689,7 @@ func TestValidate_foreach_zero_reported_asskip(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "Enforce",
|
"failureAction": "Enforce",
|
||||||
"foreach": [
|
"foreach": [
|
||||||
{
|
{
|
||||||
"list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds",
|
"list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds",
|
||||||
|
@ -1960,7 +1960,7 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing.
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.",
|
"message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals.",
|
||||||
"deny": {
|
"deny": {
|
||||||
"conditions": [
|
"conditions": [
|
||||||
|
@ -2151,7 +2151,7 @@ func Test_BlockLabelRemove(t *testing.T) {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"message": "not allowed",
|
"message": "not allowed",
|
||||||
"deny": {
|
"deny": {
|
||||||
"conditions": {
|
"conditions": {
|
||||||
|
@ -2269,7 +2269,7 @@ func TestValidate_context_variable_substitution_CLI(t *testing.T) {
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"message": "restrict pod counts to be no more than 10 on node minikube",
|
"message": "restrict pod counts to be no more than 10 on node minikube",
|
||||||
"deny": {
|
"deny": {
|
||||||
"conditions": [
|
"conditions": [
|
||||||
|
@ -2372,7 +2372,7 @@ func Test_EmptyStringInDenyCondition(t *testing.T) {
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"deny": {
|
"deny": {
|
||||||
"conditions": [
|
"conditions": [
|
||||||
{
|
{
|
||||||
|
@ -2457,7 +2457,7 @@ func Test_StringInDenyCondition(t *testing.T) {
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"deny": {
|
"deny": {
|
||||||
"conditions": [
|
"conditions": [
|
||||||
{
|
{
|
||||||
|
@ -3006,7 +3006,7 @@ func Test_outof_foreach_element_validation(t *testing.T) {
|
||||||
"name": "test",
|
"name": "test",
|
||||||
"match": {"resources": { "kinds": [ "Pod" ] } },
|
"match": {"resources": { "kinds": [ "Pod" ] } },
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"message": "Invalid name",
|
"message": "Invalid name",
|
||||||
"pattern": {
|
"pattern": {
|
||||||
"name": "{{ element.name }}"
|
"name": "{{ element.name }}"
|
||||||
|
@ -3045,7 +3045,7 @@ func Test_foreach_skip_initContainer_pass(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"message": "unknown registry",
|
"message": "unknown registry",
|
||||||
"foreach": [
|
"foreach": [
|
||||||
{
|
{
|
||||||
|
@ -3216,7 +3216,7 @@ func Test_delete_ignore_pattern(t *testing.T) {
|
||||||
"name": "test",
|
"name": "test",
|
||||||
"match": {"resources": { "kinds": [ "Pod" ] } },
|
"match": {"resources": { "kinds": [ "Pod" ] } },
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"message": "Invalid label",
|
"message": "Invalid label",
|
||||||
"pattern": {
|
"pattern": {
|
||||||
"metadata" : {
|
"metadata" : {
|
||||||
|
|
|
@ -87,12 +87,12 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
|
||||||
}
|
}
|
||||||
|
|
||||||
// if the field isn't set, use the higher level policy setting
|
// if the field isn't set, use the higher level policy setting
|
||||||
validationFailureAction := rule.Validation.ValidationFailureAction
|
validationFailureAction := rule.Validation.FailureAction
|
||||||
if validationFailureAction == nil {
|
if validationFailureAction == nil {
|
||||||
validationFailureAction = &policy.GetSpec().ValidationFailureAction
|
validationFailureAction = &policy.GetSpec().ValidationFailureAction
|
||||||
}
|
}
|
||||||
|
|
||||||
validationFailureActionOverrides := rule.Validation.ValidationFailureActionOverrides
|
validationFailureActionOverrides := rule.Validation.FailureActionOverrides
|
||||||
if len(validationFailureActionOverrides) == 0 {
|
if len(validationFailureActionOverrides) == 0 {
|
||||||
validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides
|
validationFailureActionOverrides = policy.GetSpec().ValidationFailureActionOverrides
|
||||||
}
|
}
|
||||||
|
|
|
@ -109,11 +109,11 @@ func (m *policyMap) set(key string, policy kyvernov1.PolicyInterface, client Res
|
||||||
kindStates := map[policyKey]state{}
|
kindStates := map[policyKey]state{}
|
||||||
for _, rule := range autogen.ComputeRules(policy, "") {
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
||||||
if rule.HasValidate() {
|
if rule.HasValidate() {
|
||||||
action := rule.Validation.ValidationFailureAction
|
action := rule.Validation.FailureAction
|
||||||
if action != nil && action.Enforce() {
|
if action != nil && action.Enforce() {
|
||||||
enforcePolicy = true
|
enforcePolicy = true
|
||||||
}
|
}
|
||||||
for _, k := range rule.Validation.ValidationFailureActionOverrides {
|
for _, k := range rule.Validation.FailureActionOverrides {
|
||||||
if k.Action.Enforce() {
|
if k.Action.Enforce() {
|
||||||
enforcePolicy = true
|
enforcePolicy = true
|
||||||
}
|
}
|
||||||
|
|
|
@ -123,7 +123,7 @@ func BuildValidatingAdmissionPolicyBinding(
|
||||||
|
|
||||||
// set validation action for vap binding
|
// set validation action for vap binding
|
||||||
var validationActions []admissionregistrationv1alpha1.ValidationAction
|
var validationActions []admissionregistrationv1alpha1.ValidationAction
|
||||||
validateAction := cpol.GetSpec().Rules[0].Validation.ValidationFailureAction
|
validateAction := cpol.GetSpec().Rules[0].Validation.FailureAction
|
||||||
if validateAction != nil {
|
if validateAction != nil {
|
||||||
if validateAction.Enforce() {
|
if validateAction.Enforce() {
|
||||||
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
validationActions = append(validationActions, admissionregistrationv1alpha1.Deny)
|
||||||
|
|
|
@ -67,7 +67,7 @@ func checkPolicy(spec *kyvernov1.Spec) (bool, string) {
|
||||||
return false, msg
|
return false, msg
|
||||||
}
|
}
|
||||||
|
|
||||||
if ok, msg := checkValidationFailureActionOverrides(rule.Validation.ValidationFailureActionOverrides); !ok {
|
if ok, msg := checkValidationFailureActionOverrides(rule.Validation.FailureActionOverrides); !ok {
|
||||||
return false, msg
|
return false, msg
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -649,8 +649,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "Enforce",
|
"failureAction": "Enforce",
|
||||||
"validationFailureActionOverrides": [
|
"failureActionOverrides": [
|
||||||
{
|
{
|
||||||
"action": "Enforce",
|
"action": "Enforce",
|
||||||
"namespaces": [
|
"namespaces": [
|
||||||
|
@ -704,8 +704,8 @@ func Test_Can_Generate_ValidatingAdmissionPolicy(t *testing.T) {
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "Enforce",
|
"failureAction": "Enforce",
|
||||||
"validationFailureActionOverrides": [
|
"failureActionOverrides": [
|
||||||
{
|
{
|
||||||
"action": "Enforce",
|
"action": "Enforce",
|
||||||
"namespaces": [
|
"namespaces": [
|
||||||
|
|
|
@ -140,8 +140,8 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
||||||
warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...)
|
warnings = append(warnings, checkValidationFailureAction(spec.ValidationFailureAction, spec.ValidationFailureActionOverrides)...)
|
||||||
for _, rule := range spec.Rules {
|
for _, rule := range spec.Rules {
|
||||||
if rule.HasValidate() {
|
if rule.HasValidate() {
|
||||||
if rule.Validation.ValidationFailureAction != nil {
|
if rule.Validation.FailureAction != nil {
|
||||||
warnings = append(warnings, checkValidationFailureAction(*rule.Validation.ValidationFailureAction, rule.Validation.ValidationFailureActionOverrides)...)
|
warnings = append(warnings, checkValidationFailureAction(*rule.Validation.FailureAction, rule.Validation.FailureActionOverrides)...)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -207,7 +207,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
||||||
if !policy.IsNamespaced() {
|
if !policy.IsNamespaced() {
|
||||||
for i, r := range spec.Rules {
|
for i, r := range spec.Rules {
|
||||||
if r.HasValidate() {
|
if r.HasValidate() {
|
||||||
err := validateNamespaces(r.Validation.ValidationFailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides"))
|
err := validateNamespaces(r.Validation.FailureActionOverrides, specPath.Child("rules").Index(i).Child("validate").Child("validationFailureActionOverrides"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return warnings, err
|
return warnings, err
|
||||||
}
|
}
|
||||||
|
@ -337,7 +337,7 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf
|
||||||
|
|
||||||
verifyImagePath := rulePath.Child("verifyImages")
|
verifyImagePath := rulePath.Child("verifyImages")
|
||||||
for index, i := range rule.VerifyImages {
|
for index, i := range rule.VerifyImages {
|
||||||
action := i.ValidationFailureAction
|
action := i.FailureAction
|
||||||
if action != nil {
|
if action != nil {
|
||||||
if action.Audit() {
|
if action.Audit() {
|
||||||
isAuditFailureAction = true
|
isAuditFailureAction = true
|
||||||
|
|
|
@ -1071,8 +1071,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "audit",
|
"failureAction": "audit",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1141,8 +1141,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "audit",
|
"failureAction": "audit",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1213,8 +1213,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "audit",
|
"failureAction": "audit",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1283,8 +1283,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1353,8 +1353,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1425,8 +1425,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1495,8 +1495,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -1568,8 +1568,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "audit",
|
"action": "audit",
|
||||||
|
@ -1644,8 +1644,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "audit",
|
"action": "audit",
|
||||||
|
@ -1717,8 +1717,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "audit",
|
"action": "audit",
|
||||||
|
@ -1790,8 +1790,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "audit",
|
"action": "audit",
|
||||||
|
@ -1866,8 +1866,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "enforce",
|
"failureAction": "enforce",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "audit",
|
"action": "audit",
|
||||||
|
@ -1942,8 +1942,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "audit",
|
"failureAction": "audit",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
@ -2017,8 +2017,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"validate": {
|
"validate": {
|
||||||
"validationFailureAction": "audit",
|
"failureAction": "audit",
|
||||||
"validationFailureActionOverrides":
|
"failureActionOverrides":
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"action": "enforce",
|
"action": "enforce",
|
||||||
|
|
|
@ -72,7 +72,7 @@ func TestBlockRequest(t *testing.T) {
|
||||||
{
|
{
|
||||||
Name: "rule-audit",
|
Name: "rule-audit",
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &audit,
|
FailureAction: &audit,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -88,7 +88,7 @@ func TestBlockRequest(t *testing.T) {
|
||||||
{
|
{
|
||||||
Name: "rule-enforce",
|
Name: "rule-enforce",
|
||||||
Validation: kyvernov1.Validation{
|
Validation: kyvernov1.Validation{
|
||||||
ValidationFailureAction: &enforce,
|
FailureAction: &enforce,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -12,7 +12,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: "The foo label must be set."
|
message: "The foo label must be set."
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: validate-image-tag
|
name: validate-image-tag
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
@ -48,7 +48,7 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: DELETE
|
value: DELETE
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
foreach:
|
foreach:
|
||||||
- deny:
|
- deny:
|
||||||
conditions:
|
conditions:
|
||||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: DELETE
|
value: DELETE
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
foreach:
|
foreach:
|
||||||
- context:
|
- context:
|
||||||
- imageRegistry:
|
- imageRegistry:
|
||||||
|
@ -57,7 +57,7 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: DELETE
|
value: DELETE
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
foreach:
|
foreach:
|
||||||
- context:
|
- context:
|
||||||
- imageRegistry:
|
- imageRegistry:
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: validate-default-proc-mount
|
name: validate-default-proc-mount
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: Default proc mount should set to Unmasked
|
message: Default proc mount should set to Unmasked
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: validate-selinux-options
|
name: validate-selinux-options
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: SELinux level is required
|
message: SELinux level is required
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: validate-volumes-whitelist
|
name: validate-volumes-whitelist
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
anyPattern:
|
anyPattern:
|
||||||
- spec:
|
- spec:
|
||||||
volumes:
|
volumes:
|
||||||
|
|
|
@ -12,7 +12,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: >-
|
message: >-
|
||||||
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
|
||||||
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
spec.hostIPC, and spec.hostPID must be unset or set to `false`.
|
||||||
|
|
|
@ -12,7 +12,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: "A maximum of 2 containers are allowed inside a Pod."
|
message: "A maximum of 2 containers are allowed inside a Pod."
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
|
|
|
@ -12,7 +12,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
podSecurity:
|
podSecurity:
|
||||||
level: baseline
|
level: baseline
|
||||||
version: latest
|
version: latest
|
||||||
|
|
|
@ -36,4 +36,4 @@ spec:
|
||||||
labels:
|
labels:
|
||||||
=(schiff.telekom.de/owner): '!schiff'
|
=(schiff.telekom.de/owner): '!schiff'
|
||||||
platform.das-schiff.telekom.de/owner: '!das-schiff'
|
platform.das-schiff.telekom.de/owner: '!das-schiff'
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -21,7 +21,7 @@ spec:
|
||||||
- test
|
- test
|
||||||
name: require-image-tag
|
name: require-image-tag
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: An image tag is required.
|
message: An image tag is required.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
@ -41,4 +41,4 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: '!*:latest'
|
- image: '!*:latest'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -21,7 +21,7 @@ spec:
|
||||||
- test
|
- test
|
||||||
name: require-image-tag
|
name: require-image-tag
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: An image tag is required.
|
message: An image tag is required.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
@ -41,4 +41,4 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: '!*:latest'
|
- image: '!*:latest'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -21,7 +21,7 @@ spec:
|
||||||
- test
|
- test
|
||||||
name: require-image-tag
|
name: require-image-tag
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: An image tag is required.
|
message: An image tag is required.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
@ -41,4 +41,4 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: '!*:latest'
|
- image: '!*:latest'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -21,7 +21,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: require-image-tag
|
name: require-image-tag
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: An image tag is required.
|
message: An image tag is required.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
@ -34,7 +34,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: validate-image-tag
|
name: validate-image-tag
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -17,6 +17,6 @@ spec:
|
||||||
- namespace2
|
- namespace2
|
||||||
name: disallow
|
name: disallow
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
deny: {}
|
deny: {}
|
||||||
message: This resource is protected and changes are not allowed.
|
message: This resource is protected and changes are not allowed.
|
||||||
|
|
|
@ -20,7 +20,7 @@ spec:
|
||||||
- managed
|
- managed
|
||||||
name: validate-name
|
name: validate-name
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: The Pod must end with -nginx
|
message: The Pod must end with -nginx
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
- Service
|
- Service
|
||||||
name: check-loadbalancer-public
|
name: check-loadbalancer-public
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
anyPattern:
|
anyPattern:
|
||||||
- metadata:
|
- metadata:
|
||||||
annotations:
|
annotations:
|
||||||
|
|
|
@ -28,4 +28,4 @@ spec:
|
||||||
validate:
|
validate:
|
||||||
message: Do nothing!
|
message: Do nothing!
|
||||||
pattern: {}
|
pattern: {}
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: check-for-labels
|
name: check-for-labels
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: Both `app` and `owner` labels must be set on all workloads
|
message: Both `app` and `owner` labels must be set on all workloads
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -15,7 +15,7 @@ spec:
|
||||||
- expression: "object.metadata.labels['color'] == 'red'"
|
- expression: "object.metadata.labels['color'] == 'red'"
|
||||||
name: "Label should be red"
|
name: "Label should be red"
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
cel:
|
cel:
|
||||||
expressions:
|
expressions:
|
||||||
- expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
|
- expression: "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))"
|
||||||
|
|
|
@ -12,7 +12,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Deployment
|
- Deployment
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
cel:
|
cel:
|
||||||
expressions:
|
expressions:
|
||||||
- expression: "namespaceObject.metadata.name != 'default'"
|
- expression: "namespaceObject.metadata.name != 'default'"
|
||||||
|
|
|
@ -32,4 +32,4 @@ spec:
|
||||||
required: true
|
required: true
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: true
|
verifyDigest: true
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -21,7 +21,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-value
|
name: defined-value
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ example.test.nested.value }}'
|
- key: '{{ example.test.nested.value }}'
|
||||||
|
@ -38,7 +38,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-jmespath
|
name: defined-jmespath
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ objName }}'
|
- key: '{{ objName }}'
|
||||||
|
@ -56,7 +56,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-jmespath-with-default
|
name: defined-jmespath-with-default
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ objName }}'
|
- key: '{{ objName }}'
|
||||||
|
@ -74,7 +74,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-value-with-variable
|
name: defined-value-with-variable
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ obj.name }}'
|
- key: '{{ obj.name }}'
|
||||||
|
@ -92,7 +92,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-jmespath-with-default-variable
|
name: defined-jmespath-with-default-variable
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ objName }}'
|
- key: '{{ objName }}'
|
||||||
|
@ -111,7 +111,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-value-jmespath
|
name: defined-value-jmespath
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ objName }}'
|
- key: '{{ objName }}'
|
||||||
|
@ -133,7 +133,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: defined-value-jmespath-variable
|
name: defined-value-jmespath-variable
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ objName }}'
|
- key: '{{ objName }}'
|
||||||
|
@ -155,7 +155,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: value-override
|
name: value-override
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
any:
|
any:
|
||||||
|
@ -178,7 +178,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: wildcard-match
|
name: wildcard-match
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: A=*
|
- key: A=*
|
||||||
|
@ -205,7 +205,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: items
|
name: items
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ obj }}'
|
- key: '{{ obj }}'
|
||||||
|
@ -234,7 +234,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: unused-var
|
name: unused-var
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
- key: '{{ modifiedObj }}'
|
- key: '{{ modifiedObj }}'
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
- Pod
|
- Pod
|
||||||
name: block-images
|
name: block-images
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
foreach:
|
foreach:
|
||||||
- context:
|
- context:
|
||||||
- imageRegistry:
|
- imageRegistry:
|
||||||
|
|
|
@ -19,7 +19,7 @@ spec:
|
||||||
- key: '{{base64_decode(request.object.data.value)}}'
|
- key: '{{base64_decode(request.object.data.value)}}'
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: '{{request.object.metadata.labels.value}}'
|
value: '{{request.object.metadata.labels.value}}'
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -42,7 +42,7 @@ spec:
|
||||||
- key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}'
|
- key: '{{pattern_match(''prefix-*'', request.object.metadata.labels.value)}}'
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: false
|
value: false
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -78,7 +78,7 @@ spec:
|
||||||
- key: '{{ element.hostPath.path }}'
|
- key: '{{ element.hostPath.path }}'
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: ""
|
value: ""
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -101,7 +101,7 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: b
|
value: b
|
||||||
message: Test JMESPath
|
message: Test JMESPath
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -124,7 +124,7 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: a
|
value: a
|
||||||
message: Test JMESPath
|
message: Test JMESPath
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -148,7 +148,7 @@ spec:
|
||||||
value: '{{request.object.metadata.annotations.test | parse_yaml(@).array
|
value: '{{request.object.metadata.annotations.test | parse_yaml(@).array
|
||||||
}}'
|
}}'
|
||||||
message: Test JMESPath
|
message: Test JMESPath
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -175,4 +175,4 @@ spec:
|
||||||
message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N
|
message: 'public key modulus mismatch: "{{ x509_decode(''{{request.object.data.cert}}'').PublicKey.N
|
||||||
}}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N
|
}}" != "{{ x509_decode(''{{base64_decode(''{{request.object.data.certB64}}'')}}'').PublicKey.N
|
||||||
}}"'
|
}}"'
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -39,4 +39,4 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
=(securityContext):
|
=(securityContext):
|
||||||
=(supplementalGroups): 100-200 | 500-600
|
=(supplementalGroups): 100-200 | 500-600
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -30,4 +30,4 @@ spec:
|
||||||
deny: {}
|
deny: {}
|
||||||
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
|
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
|
||||||
should not be modified by non-admin users.
|
should not be modified by non-admin users.
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -26,4 +26,4 @@ spec:
|
||||||
deny: {}
|
deny: {}
|
||||||
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
|
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
|
||||||
should not be modified by non-admin users.
|
should not be modified by non-admin users.
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -35,4 +35,4 @@ spec:
|
||||||
deny: {}
|
deny: {}
|
||||||
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
|
message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
|
||||||
should not be modified by non-admin users.
|
should not be modified by non-admin users.
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -14,7 +14,7 @@ spec:
|
||||||
operations:
|
operations:
|
||||||
- DELETE
|
- DELETE
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: Pod cannot be deleted
|
message: Pod cannot be deleted
|
||||||
deny: {}
|
deny: {}
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Pod
|
- Pod
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: Pod cannot be deleted
|
message: Pod cannot be deleted
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
|
|
|
@ -33,4 +33,4 @@ spec:
|
||||||
deny: {}
|
deny: {}
|
||||||
message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated
|
message: '{{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated
|
||||||
and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
|
and will be removed in v1.25. See: https://kubernetes.io/docs/reference/using-api/deprecation-guide/'
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -28,4 +28,4 @@ spec:
|
||||||
anyPattern:
|
anyPattern:
|
||||||
- kind: '!Service'
|
- kind: '!Service'
|
||||||
message: Can't create a service. Sorry...
|
message: Can't create a service. Sorry...
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -36,7 +36,7 @@ spec:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
require-requests-limits.kyverno.io/exclude: "true"
|
require-requests-limits.kyverno.io/exclude: "true"
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: "CPU and memory resource requests and limits are required."
|
message: "CPU and memory resource requests and limits are required."
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -41,4 +41,4 @@ spec:
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: "false"
|
value: "false"
|
||||||
message: Exec'ing into Pods protected with the label `exec=false` is forbidden.
|
message: Exec'ing into Pods protected with the label `exec=false` is forbidden.
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -32,4 +32,4 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: ""
|
value: ""
|
||||||
message: Limits may not exceed 2.5x the requests.
|
message: Limits may not exceed 2.5x the requests.
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -25,7 +25,7 @@ spec:
|
||||||
- (name): '{{element.name}}'
|
- (name): '{{element.name}}'
|
||||||
mountPath: /tmp/*
|
mountPath: /tmp/*
|
||||||
message: emptyDir volumes must be mounted under /tmp
|
message: emptyDir volumes must be mounted under /tmp
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -56,7 +56,7 @@ spec:
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- <(name): '{{element.name}}'
|
- <(name): '{{element.name}}'
|
||||||
message: ephemeral-storage requests and limits are required for emptyDir volumes
|
message: ephemeral-storage requests and limits are required for emptyDir volumes
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -82,7 +82,7 @@ spec:
|
||||||
value: ghcr.io
|
value: ghcr.io
|
||||||
list: request.object.spec.containers[].image
|
list: request.object.spec.containers[].image
|
||||||
message: images must begin with ghcr.io
|
message: images must begin with ghcr.io
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -109,4 +109,4 @@ spec:
|
||||||
elementScope: true
|
elementScope: true
|
||||||
list: request.object.spec.containers[].image
|
list: request.object.spec.containers[].image
|
||||||
message: images must begin with ghcr.io
|
message: images must begin with ghcr.io
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -24,7 +24,7 @@ spec:
|
||||||
- CREATE
|
- CREATE
|
||||||
- UPDATE
|
- UPDATE
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
deny:
|
deny:
|
||||||
conditions:
|
conditions:
|
||||||
any:
|
any:
|
||||||
|
|
|
@ -22,4 +22,4 @@ spec:
|
||||||
required: false
|
required: false
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: true
|
verifyDigest: true
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -23,5 +23,5 @@ spec:
|
||||||
required: true
|
required: true
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: false
|
verifyDigest: false
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
webhookTimeoutSeconds: 30
|
webhookTimeoutSeconds: 30
|
||||||
|
|
|
@ -36,4 +36,4 @@ spec:
|
||||||
required: true
|
required: true
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: true
|
verifyDigest: true
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -37,7 +37,7 @@ spec:
|
||||||
required: true
|
required: true
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: true
|
verifyDigest: true
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -81,4 +81,4 @@ spec:
|
||||||
required: true
|
required: true
|
||||||
useCache: true
|
useCache: true
|
||||||
verifyDigest: false
|
verifyDigest: false
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -26,7 +26,7 @@ spec:
|
||||||
a: "1"
|
a: "1"
|
||||||
test: ""
|
test: ""
|
||||||
message: All pod labels must match except test
|
message: All pod labels must match except test
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
---
|
---
|
||||||
apiVersion: kyverno.io/v1
|
apiVersion: kyverno.io/v1
|
||||||
kind: ClusterPolicy
|
kind: ClusterPolicy
|
||||||
|
@ -51,4 +51,4 @@ spec:
|
||||||
value: false
|
value: false
|
||||||
message: For creating a namespace you need to set the objectid of the Azure
|
message: For creating a namespace you need to set the objectid of the Azure
|
||||||
AD Group that needs access to this namespace as the aadobjectid label
|
AD Group that needs access to this namespace as the aadobjectid label
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -56,4 +56,4 @@ spec:
|
||||||
- CREATE
|
- CREATE
|
||||||
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
|
message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
|
||||||
resource is protected. Admin or allowed users can change the resource'
|
resource is protected. Admin or allowed users can change the resource'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -16,7 +16,7 @@ spec:
|
||||||
name: test*
|
name: test*
|
||||||
name: validate-yaml
|
name: validate-yaml
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
manifests:
|
manifests:
|
||||||
attestors:
|
attestors:
|
||||||
- count: 1
|
- count: 1
|
||||||
|
@ -43,7 +43,7 @@ spec:
|
||||||
name: test*
|
name: test*
|
||||||
name: validate-yaml-multi-sig
|
name: validate-yaml-multi-sig
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
manifests:
|
manifests:
|
||||||
attestors:
|
attestors:
|
||||||
- entries:
|
- entries:
|
||||||
|
|
|
@ -21,7 +21,7 @@ spec:
|
||||||
- user-?*
|
- user-?*
|
||||||
name: ondemand-managed_by
|
name: ondemand-managed_by
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand'
|
message: '{{ request.object.metadata.namespace }} pods must be managed by open-ondemand'
|
||||||
pattern:
|
pattern:
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
@ -17,7 +17,7 @@ spec:
|
||||||
operator: Equals
|
operator: Equals
|
||||||
value: 'LoadBalancer'
|
value: 'LoadBalancer'
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: >-
|
message: >-
|
||||||
Only approved ports may be used for LoadBalancer services.
|
Only approved ports may be used for LoadBalancer services.
|
||||||
foreach:
|
foreach:
|
||||||
|
@ -38,7 +38,7 @@ spec:
|
||||||
kinds:
|
kinds:
|
||||||
- Service
|
- Service
|
||||||
validate:
|
validate:
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
|
message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
|
||||||
pattern:
|
pattern:
|
||||||
spec:
|
spec:
|
||||||
|
|
|
@ -23,4 +23,4 @@ spec:
|
||||||
value:
|
value:
|
||||||
- busybox
|
- busybox
|
||||||
- busybox1
|
- busybox1
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -44,4 +44,4 @@ spec:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
foo: '*'
|
foo: '*'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -37,4 +37,4 @@ spec:
|
||||||
operator: NotEquals
|
operator: NotEquals
|
||||||
value: 2400
|
value: 2400
|
||||||
message: certificate duration must be < than 2400h (100 days)
|
message: certificate duration must be < than 2400h (100 days)
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -32,4 +32,4 @@ spec:
|
||||||
status:
|
status:
|
||||||
nodeInfo:
|
nodeInfo:
|
||||||
kernelVersion: '!5.10.84-1 & !5.15.5-2'
|
kernelVersion: '!5.10.84-1 & !5.15.5-2'
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -28,4 +28,4 @@ spec:
|
||||||
periodSeconds: '>0'
|
periodSeconds: '>0'
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
periodSeconds: '>0'
|
periodSeconds: '>0'
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
|
@ -33,4 +33,4 @@ spec:
|
||||||
operator: AnyNotIn
|
operator: AnyNotIn
|
||||||
value: '{{request.object.metadata.keys(@)}}'
|
value: '{{request.object.metadata.keys(@)}}'
|
||||||
message: naked pods are not allowed
|
message: naked pods are not allowed
|
||||||
validationFailureAction: Audit
|
failureAction: Audit
|
||||||
|
|
|
@ -24,4 +24,4 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: '*busybox*'
|
- name: '*busybox*'
|
||||||
validationFailureAction: Enforce
|
failureAction: Enforce
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Reference in a new issue