mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00
Code Activity

update policyreport group to wgpolicyk8s.io

Browse source
This commit is contained in:
Shuting Zhao 2020-11-11 15:09:07 -08:00
parent 0d963455c9
commit 2292bf860b
36 changed files with 6803 additions and 6721 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Makefile
View file

@ -184,9 +184,9 @@ release:
kustomize build ./definitions > ./definitions/release/install.yaml
report-crd: controller-gen
$(CONTROLLER_GEN) crd:trivialVersions=true paths="./pkg/api/policyreport/v1alpha1" output:dir=./definitions/crds
$(CONTROLLER_GEN) crd:trivialVersions=true paths=./pkg/api/policyreport/v1alpha1 output:dir=./definitions/crds
$(CONTROLLER_GEN) object paths=./pkg/api/policyreport/v1alpha1
$(CONTROLLER_GEN) crd:trivialVersions=true paths="./pkg/api/kyverno/v1alpha1" output:dir=./definitions/crds
$(CONTROLLER_GEN) crd:trivialVersions=true paths=./pkg/api/kyverno/v1alpha1 output:dir=./definitions/crds
$(CONTROLLER_GEN) object paths=./pkg/api/kyverno/v1alpha1
# find or download controller-gen
@ -198,7 +198,7 @@ ifeq (, $(shell which controller-gen))
CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
cd $$CONTROLLER_GEN_TMP_DIR ;\
go mod init tmp ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.0 ;\
rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
}
CONTROLLER_GEN=$(GOBIN)/controller-gen

2678
charts/kyverno/crds/crds.yaml
View file

File diff suppressed because it is too large Load diff

4
cmd/kyverno/main.go
View file

@ -204,8 +204,8 @@ func main() {
)
prgen = policyreport.NewReportGenerator(client,
pInformer.Policy().V1alpha1().ClusterPolicyReports(),
pInformer.Policy().V1alpha1().PolicyReports(),
pInformer.Wgpolicyk8s().V1alpha1().ClusterPolicyReports(),
pInformer.Wgpolicyk8s().V1alpha1().PolicyReports(),
pInformer.Kyverno().V1alpha1().ReportChangeRequests(),
pInformer.Kyverno().V1alpha1().ClusterReportChangeRequests(),
kubeInformer.Core().V1().Namespaces(),

4
definitions/crds/kustomization.yaml
View file

@ -3,7 +3,7 @@ kind: Kustomization
resources:
- ./crds.yaml
- ./policy.k8s.io_clusterpolicyreports.yaml
- ./policy.k8s.io_policyreports.yaml
- ./wgpolicyk8s.io_clusterpolicyreports.yaml
- ./wgpolicyk8s.io_policyreports.yaml
- ./kyverno.io_reportchangerequests.yaml
- ./kyverno.io_clusterreportchangerequests.yaml

610
definitions/crds/kyverno.io_clusterreportchangerequests.yaml
View file

@ -1,40 +1,13 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterreportchangerequests.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .scope.kind
name: Kind
priority: 1
type: string
- JSONPath: .scope.name
name: Name
priority: 1
type: string
- JSONPath: .summary.pass
name: Pass
type: integer
- JSONPath: .summary.fail
name: Fail
type: integer
- JSONPath: .summary.warn
name: Warn
type: integer
- JSONPath: .summary.error
name: Error
type: integer
- JSONPath: .summary.skip
name: Skip
type: integer
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: ClusterReportChangeRequest
@ -42,290 +15,319 @@ spec:
plural: clusterreportchangerequests
singular: clusterreportchangerequest
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
description: Data provides additional information for the policy rule
type: object
message:
description: Message is a short user friendly description of the policy
rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
apiVersion:
description: API version of the referent.
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""

610
definitions/crds/kyverno.io_reportchangerequests.yaml
View file

@ -1,40 +1,13 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: reportchangerequests.kyverno.io
spec:
additionalPrinterColumns:
- JSONPath: .scope.kind
name: Kind
priority: 1
type: string
- JSONPath: .scope.name
name: Name
priority: 1
type: string
- JSONPath: .summary.pass
name: Pass
type: integer
- JSONPath: .summary.fail
name: Fail
type: integer
- JSONPath: .summary.warn
name: Warn
type: integer
- JSONPath: .summary.error
name: Error
type: integer
- JSONPath: .summary.skip
name: Skip
type: integer
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: kyverno.io
names:
kind: ReportChangeRequest
@ -42,290 +15,319 @@ spec:
plural: reportchangerequests
singular: reportchangerequest
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: ReportChangeRequest is the Schema for the ReportChangeRequests
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ReportChangeRequest is the Schema for the ReportChangeRequests
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
description: Data provides additional information for the policy rule
type: object
message:
description: Message is a short user friendly description of the policy
rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
apiVersion:
description: API version of the referent.
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""

336
definitions/crds/policy.k8s.io_clusterpolicyreports.yaml
View file

@ -1,336 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: clusterpolicyreports.policy.k8s.io
spec:
additionalPrinterColumns:
- JSONPath: .scope.kind
name: Kind
priority: 1
type: string
- JSONPath: .scope.name
name: Name
priority: 1
type: string
- JSONPath: .summary.pass
name: Pass
type: integer
- JSONPath: .summary.fail
name: Fail
type: integer
- JSONPath: .summary.warn
name: Warn
type: integer
- JSONPath: .summary.error
name: Error
type: integer
- JSONPath: .summary.skip
name: Skip
type: integer
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: policy.k8s.io
names:
kind: ClusterPolicyReport
listKind: ClusterPolicyReportList
plural: clusterpolicyreports
shortNames:
- cpolr
singular: clusterpolicyreport
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy rule
type: object
message:
description: Message is a short user friendly description of the policy
rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

335
definitions/crds/policy.k8s.io_policyreports.yaml
View file

@ -1,335 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.5
creationTimestamp: null
name: policyreports.policy.k8s.io
spec:
additionalPrinterColumns:
- JSONPath: .scope.kind
name: Kind
priority: 1
type: string
- JSONPath: .scope.name
name: Name
priority: 1
type: string
- JSONPath: .summary.pass
name: Pass
type: integer
- JSONPath: .summary.fail
name: Fail
type: integer
- JSONPath: .summary.warn
name: Warn
type: integer
- JSONPath: .summary.error
name: Error
type: integer
- JSONPath: .summary.skip
name: Skip
type: integer
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
group: policy.k8s.io
names:
kind: PolicyReport
listKind: PolicyReportList
plural: policyreports
shortNames:
- polr
singular: policyreport
scope: Namespaced
subresources: {}
validation:
openAPIV3Schema:
description: PolicyReport is the Schema for the policyreports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy rule
type: object
message:
description: Message is a short user friendly description of the policy
rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access statement,
such as desiredState.manifest.containers[2]. For example, if the object
reference is to a container within a pod, this would take on a value
like: "spec.containers{name}" (where "name" refers to the name of
the container that triggered the event) or if no container name is
specified "spec.containers[2]" (container with index 2 in this pod).
This syntax is chosen only to have some well-defined way of referencing
a part of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is made,
if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes (e.g.
Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the operator
is Exists or DoesNotExist, the values array must be empty. This
array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

338
definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml Normal file
View file

@ -0,0 +1,338 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
kind: ClusterPolicyReport
listKind: ClusterPolicyReportList
plural: clusterpolicyreports
shortNames:
- cpolr
singular: clusterpolicyreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterPolicyReport is the Schema for the clusterpolicyreports
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

337
definitions/crds/wgpolicyk8s.io_policyreports.yaml Normal file
View file

@ -0,0 +1,337 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
names:
kind: PolicyReport
listKind: PolicyReportList
plural: policyreports
shortNames:
- polr
singular: policyreport
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .scope.kind
name: Kind
priority: 1
type: string
- jsonPath: .scope.name
name: Name
priority: 1
type: string
- jsonPath: .summary.pass
name: Pass
type: integer
- jsonPath: .summary.fail
name: Fail
type: integer
- jsonPath: .summary.warn
name: Warn
type: integer
- jsonPath: .summary.error
name: Error
type: integer
- jsonPath: .summary.skip
name: Skip
type: integer
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: PolicyReport is the Schema for the policyreports API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
results:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy
properties:
category:
description: Category indicates policy category
type: string
data:
additionalProperties:
type: string
description: Data provides additional information for the policy
rule
type: object
message:
description: Message is a short user friendly description of the
policy rule
type: string
policy:
description: Policy is the name of the policy
type: string
resourceSelector:
description: ResourceSelector is an optional selector for policy
results that apply to multiple resources. For example, a policy
result may apply to all pods that match a label. Either a Resource
or a ResourceSelector can be specified. If neither are provided,
the result is assumed to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource
checked by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many
fields which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage,
which makes it hard for users to predict what will happen. 4.
The fields are both imprecise and overly precise. Kind is not
a precise mapping to a URL. This can produce ambiguity during
interpretation and require a REST mapping. In most cases, the
dependency is on the group,resource tuple and the version
of the actual struct is irrelevant. 5. We cannot easily change
it. Because this type is embedded in many locations, updates
to this type will affect numerous schemas. Don''t make
new APIs embed an underspecified API type they do not control.
Instead of using this type, create a locally provided and used
type that is well-focused on your reference. For example, ServiceReferences
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead
of an entire object, this string should contain a valid
JSON/Go field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part
of an object. TODO: this design is not final and this field
is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
scored:
description: Scored indicates if this policy rule is scored
type: boolean
severity:
description: Severity indicates policy severity
enum:
- high
- low
- medium
type: string
status:
description: Status indicates the result of the policy rule check
enum:
- pass
- fail
- warn
- error
- skip
type: string
required:
- policy
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g.
a Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of an entire
object, this string should contain a valid JSON/Go field access
statement, such as desiredState.manifest.containers[2]. For example,
if the object reference is to a container within a pod, this would
take on a value like: "spec.containers{name}" (where "name" refers
to the name of the container that triggered the event) or if no
container name is specified "spec.containers[2]" (container with
index 2 in this pod). This syntax is chosen only to have some well-defined
way of referencing a part of an object. TODO: this design is not
final and this field is subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference is
made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
scopeSelector:
description: ScopeSelector is an optional selector for multiple scopes
(e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
should be specified.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains
values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to a set
of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator
is In or NotIn, the values array must be non-empty. If the
operator is Exists or DoesNotExist, the values array must
be empty. This array is replaced during a strategic merge
patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
type: object
type: object
served: true
storage: true
subresources: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

2686
definitions/install.yaml
View file

File diff suppressed because it is too large Load diff

2686
definitions/install_debug.yaml
View file

File diff suppressed because it is too large Load diff

8
definitions/k8s-resource/rbac.yaml
View file

@ -323,7 +323,7 @@ metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: [ "policy.k8s.io/v1alpha1" ]
- apiGroups: [ "wgpolicyk8s.io/v1alpha1" ]
resources:
- policyreport
verbs: [ "get", "list", "watch" ]
@ -336,7 +336,7 @@ metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["policy.k8s.io/v1alpha1"]
- apiGroups: ["wgpolicyk8s.io/v1alpha1"]
resources:
- clusterpolicyreport
verbs: ["get", "list", "watch"]
@ -349,7 +349,7 @@ metadata:
name: kyverno:edit-policies-policyreport
rules:
- apiGroups:
- policy.k8s.io/v1alpha1
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport
@ -368,7 +368,7 @@ metadata:
name: kyverno:admin-policyreport
rules:
- apiGroups:
- policy.k8s.io/v1alpha1
- wgpolicyk8s.io/v1alpha1
resources:
- policyreport
- clusterpolicyreport

2686
definitions/release/install.yaml
View file

File diff suppressed because it is too large Load diff

24
pkg/api/kyverno/v1alpha1/zz_generated.deepcopy.go
View file

@ -1,12 +1,28 @@
// +build !ignore_autogenerated
// Code generated by controller-gen. DO NOT EDIT.
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
policyreportv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -38,6 +54,7 @@ func (in *ClusterReportChangeRequest) DeepCopyInto(out *ClusterReportChangeReque
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportChangeRequest.
@ -70,6 +87,7 @@ func (in *ClusterReportChangeRequestList) DeepCopyInto(out *ClusterReportChangeR
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportChangeRequestList.
@ -117,6 +135,7 @@ func (in *ReportChangeRequest) DeepCopyInto(out *ReportChangeRequest) {
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportChangeRequest.
@ -149,6 +168,7 @@ func (in *ReportChangeRequestList) DeepCopyInto(out *ReportChangeRequestList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportChangeRequestList.

2
pkg/api/policyreport/v1alpha1/doc.go
View file

@ -17,5 +17,5 @@ limitations under the License.
// Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
// +k8s:deepcopy-gen=package
// +kubebuilder:object:generate=true
// +groupName=policy.k8s.io
// +groupName=wgpolicyk8s.io
package v1alpha1

6
pkg/api/policyreport/v1alpha1/groupversion_info.go
View file

@ -16,7 +16,7 @@ limitations under the License.
// Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
// +kubebuilder:object:generate=true
// +groupName=policy.k8s.io
// +groupName=wgpolicyk8s.io
package v1alpha1
import (
@ -26,10 +26,10 @@ import (
// Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group
// +kubebuilder:object:generate=true
// +groupName=policy.k8s.io
// +groupName=wgpolicyk8s.io
var (
// SchemeGroupVersion is group version used to register these objects
SchemeGroupVersion = schema.GroupVersion{Group: "policy.k8s.io", Version: "v1alpha1"}
SchemeGroupVersion = schema.GroupVersion{Group: "wgpolicyk8s.io", Version: "v1alpha1"}
// SchemeBuilder is used to add go types to the GroupVersionKind scheme
SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}

26
pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go
View file

@ -1,11 +1,27 @@
// +build !ignore_autogenerated
// Code generated by controller-gen. DO NOT EDIT.
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1alpha1
import (
"k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@ -37,6 +53,7 @@ func (in *ClusterPolicyReport) DeepCopyInto(out *ClusterPolicyReport) {
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReport.
@ -69,6 +86,7 @@ func (in *ClusterPolicyReportList) DeepCopyInto(out *ClusterPolicyReportList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReportList.
@ -116,6 +134,7 @@ func (in *PolicyReport) DeepCopyInto(out *PolicyReport) {
}
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReport.
@ -148,6 +167,7 @@ func (in *PolicyReportList) DeepCopyInto(out *PolicyReportList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportList.
@ -194,6 +214,7 @@ func (in *PolicyReportResult) DeepCopyInto(out *PolicyReportResult) {
(*out)[key] = val
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportResult.
@ -209,6 +230,7 @@ func (in *PolicyReportResult) DeepCopy() *PolicyReportResult {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyReportSummary) DeepCopyInto(out *PolicyReportSummary) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportSummary.

22
pkg/client/clientset/versioned/clientset.go
View file

@ -23,7 +23,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
kyvernov1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha1"
policyv1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1"
wgpolicyk8sv1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1"
discovery "k8s.io/client-go/discovery"
rest "k8s.io/client-go/rest"
flowcontrol "k8s.io/client-go/util/flowcontrol"
@ -33,16 +33,16 @@ type Interface interface {
Discovery() discovery.DiscoveryInterface
KyvernoV1() kyvernov1.KyvernoV1Interface
KyvernoV1alpha1() kyvernov1alpha1.KyvernoV1alpha1Interface
PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface
Wgpolicyk8sV1alpha1() wgpolicyk8sv1alpha1.Wgpolicyk8sV1alpha1Interface
}
// Clientset contains the clients for groups. Each group has exactly one
// version included in a Clientset.
type Clientset struct {
*discovery.DiscoveryClient
kyvernoV1 *kyvernov1.KyvernoV1Client
kyvernoV1alpha1 *kyvernov1alpha1.KyvernoV1alpha1Client
policyV1alpha1 *policyv1alpha1.PolicyV1alpha1Client
kyvernoV1 *kyvernov1.KyvernoV1Client
kyvernoV1alpha1 *kyvernov1alpha1.KyvernoV1alpha1Client
wgpolicyk8sV1alpha1 *wgpolicyk8sv1alpha1.Wgpolicyk8sV1alpha1Client
}
// KyvernoV1 retrieves the KyvernoV1Client
@ -55,9 +55,9 @@ func (c *Clientset) KyvernoV1alpha1() kyvernov1alpha1.KyvernoV1alpha1Interface {
return c.kyvernoV1alpha1
}
// PolicyV1alpha1 retrieves the PolicyV1alpha1Client
func (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface {
return c.policyV1alpha1
// Wgpolicyk8sV1alpha1 retrieves the Wgpolicyk8sV1alpha1Client
func (c *Clientset) Wgpolicyk8sV1alpha1() wgpolicyk8sv1alpha1.Wgpolicyk8sV1alpha1Interface {
return c.wgpolicyk8sV1alpha1
}
// Discovery retrieves the DiscoveryClient
@ -89,7 +89,7 @@ func NewForConfig(c *rest.Config) (*Clientset, error) {
if err != nil {
return nil, err
}
cs.policyV1alpha1, err = policyv1alpha1.NewForConfig(&configShallowCopy)
cs.wgpolicyk8sV1alpha1, err = wgpolicyk8sv1alpha1.NewForConfig(&configShallowCopy)
if err != nil {
return nil, err
}
@ -107,7 +107,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
var cs Clientset
cs.kyvernoV1 = kyvernov1.NewForConfigOrDie(c)
cs.kyvernoV1alpha1 = kyvernov1alpha1.NewForConfigOrDie(c)
cs.policyV1alpha1 = policyv1alpha1.NewForConfigOrDie(c)
cs.wgpolicyk8sV1alpha1 = wgpolicyk8sv1alpha1.NewForConfigOrDie(c)
cs.DiscoveryClient = discovery.NewDiscoveryClientForConfigOrDie(c)
return &cs
@ -118,7 +118,7 @@ func New(c rest.Interface) *Clientset {
var cs Clientset
cs.kyvernoV1 = kyvernov1.New(c)
cs.kyvernoV1alpha1 = kyvernov1alpha1.New(c)
cs.policyV1alpha1 = policyv1alpha1.New(c)
cs.wgpolicyk8sV1alpha1 = wgpolicyk8sv1alpha1.New(c)
cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
return &cs

10
pkg/client/clientset/versioned/fake/clientset_generated.go
View file

@ -24,8 +24,8 @@ import (
fakekyvernov1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1/fake"
kyvernov1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha1"
fakekyvernov1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha1/fake"
policyv1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1"
fakepolicyv1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake"
wgpolicyk8sv1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1"
fakewgpolicyk8sv1alpha1 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/watch"
"k8s.io/client-go/discovery"
@ -90,7 +90,7 @@ func (c *Clientset) KyvernoV1alpha1() kyvernov1alpha1.KyvernoV1alpha1Interface {
return &fakekyvernov1alpha1.FakeKyvernoV1alpha1{Fake: &c.Fake}
}
// PolicyV1alpha1 retrieves the PolicyV1alpha1Client
func (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Interface {
return &fakepolicyv1alpha1.FakePolicyV1alpha1{Fake: &c.Fake}
// Wgpolicyk8sV1alpha1 retrieves the Wgpolicyk8sV1alpha1Client
func (c *Clientset) Wgpolicyk8sV1alpha1() wgpolicyk8sv1alpha1.Wgpolicyk8sV1alpha1Interface {
return &fakewgpolicyk8sv1alpha1.FakeWgpolicyk8sV1alpha1{Fake: &c.Fake}
}

4
pkg/client/clientset/versioned/fake/register.go
View file

@ -21,7 +21,7 @@ package fake
import (
kyvernov1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
kyvernov1alpha1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1alpha1"
policyv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
wgpolicyk8sv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
schema "k8s.io/apimachinery/pkg/runtime/schema"
@ -35,7 +35,7 @@ var parameterCodec = runtime.NewParameterCodec(scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
kyvernov1.AddToScheme,
kyvernov1alpha1.AddToScheme,
policyv1alpha1.AddToScheme,
wgpolicyk8sv1alpha1.AddToScheme,
}
// AddToScheme adds all types of this clientset into the given scheme. This allows composition

4
pkg/client/clientset/versioned/scheme/register.go
View file

@ -21,7 +21,7 @@ package scheme
import (
kyvernov1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
kyvernov1alpha1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1alpha1"
policyv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
wgpolicyk8sv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
schema "k8s.io/apimachinery/pkg/runtime/schema"
@ -35,7 +35,7 @@ var ParameterCodec = runtime.NewParameterCodec(Scheme)
var localSchemeBuilder = runtime.SchemeBuilder{
kyvernov1.AddToScheme,
kyvernov1alpha1.AddToScheme,
policyv1alpha1.AddToScheme,
wgpolicyk8sv1alpha1.AddToScheme,
}
// AddToScheme adds all types of this clientset into the given scheme. This allows composition

2
pkg/client/clientset/versioned/typed/policyreport/v1alpha1/clusterpolicyreport.go
View file

@ -55,7 +55,7 @@ type clusterPolicyReports struct {
}
// newClusterPolicyReports returns a ClusterPolicyReports
func newClusterPolicyReports(c *PolicyV1alpha1Client) *clusterPolicyReports {
func newClusterPolicyReports(c *Wgpolicyk8sV1alpha1Client) *clusterPolicyReports {
return &clusterPolicyReports{
client: c.RESTClient(),
}

6
pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_clusterpolicyreport.go
View file

@ -32,12 +32,12 @@ import (
// FakeClusterPolicyReports implements ClusterPolicyReportInterface
type FakeClusterPolicyReports struct {
Fake *FakePolicyV1alpha1
Fake *FakeWgpolicyk8sV1alpha1
}
var clusterpolicyreportsResource = schema.GroupVersionResource{Group: "policy.k8s.io", Version: "v1alpha1", Resource: "clusterpolicyreports"}
var clusterpolicyreportsResource = schema.GroupVersionResource{Group: "wgpolicyk8s.io", Version: "v1alpha1", Resource: "clusterpolicyreports"}
var clusterpolicyreportsKind = schema.GroupVersionKind{Group: "policy.k8s.io", Version: "v1alpha1", Kind: "ClusterPolicyReport"}
var clusterpolicyreportsKind = schema.GroupVersionKind{Group: "wgpolicyk8s.io", Version: "v1alpha1", Kind: "ClusterPolicyReport"}
// Get takes name of the clusterPolicyReport, and returns the corresponding clusterPolicyReport object, and an error if there is any.
func (c *FakeClusterPolicyReports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterPolicyReport, err error) {

6
pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_policyreport.go
View file

@ -32,13 +32,13 @@ import (
// FakePolicyReports implements PolicyReportInterface
type FakePolicyReports struct {
Fake *FakePolicyV1alpha1
Fake *FakeWgpolicyk8sV1alpha1
ns string
}
var policyreportsResource = schema.GroupVersionResource{Group: "policy.k8s.io", Version: "v1alpha1", Resource: "policyreports"}
var policyreportsResource = schema.GroupVersionResource{Group: "wgpolicyk8s.io", Version: "v1alpha1", Resource: "policyreports"}
var policyreportsKind = schema.GroupVersionKind{Group: "policy.k8s.io", Version: "v1alpha1", Kind: "PolicyReport"}
var policyreportsKind = schema.GroupVersionKind{Group: "wgpolicyk8s.io", Version: "v1alpha1", Kind: "PolicyReport"}
// Get takes name of the policyReport, and returns the corresponding policyReport object, and an error if there is any.
func (c *FakePolicyReports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.PolicyReport, err error) {

8
pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_policyreport_client.go
View file

@ -24,21 +24,21 @@ import (
testing "k8s.io/client-go/testing"
)
type FakePolicyV1alpha1 struct {
type FakeWgpolicyk8sV1alpha1 struct {
*testing.Fake
}
func (c *FakePolicyV1alpha1) ClusterPolicyReports() v1alpha1.ClusterPolicyReportInterface {
func (c *FakeWgpolicyk8sV1alpha1) ClusterPolicyReports() v1alpha1.ClusterPolicyReportInterface {
return &FakeClusterPolicyReports{c}
}
func (c *FakePolicyV1alpha1) PolicyReports(namespace string) v1alpha1.PolicyReportInterface {
func (c *FakeWgpolicyk8sV1alpha1) PolicyReports(namespace string) v1alpha1.PolicyReportInterface {
return &FakePolicyReports{c, namespace}
}
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakePolicyV1alpha1) RESTClient() rest.Interface {
func (c *FakeWgpolicyk8sV1alpha1) RESTClient() rest.Interface {
var ret *rest.RESTClient
return ret
}

2
pkg/client/clientset/versioned/typed/policyreport/v1alpha1/policyreport.go
View file

@ -56,7 +56,7 @@ type policyReports struct {
}
// newPolicyReports returns a PolicyReports
func newPolicyReports(c *PolicyV1alpha1Client, namespace string) *policyReports {
func newPolicyReports(c *Wgpolicyk8sV1alpha1Client, namespace string) *policyReports {
return &policyReports{
client: c.RESTClient(),
ns: namespace,

28
pkg/client/clientset/versioned/typed/policyreport/v1alpha1/policyreport_client.go
View file

@ -24,27 +24,27 @@ import (
rest "k8s.io/client-go/rest"
)
type PolicyV1alpha1Interface interface {
type Wgpolicyk8sV1alpha1Interface interface {
RESTClient() rest.Interface
ClusterPolicyReportsGetter
PolicyReportsGetter
}
// PolicyV1alpha1Client is used to interact with features provided by the policy.k8s.io group.
type PolicyV1alpha1Client struct {
// Wgpolicyk8sV1alpha1Client is used to interact with features provided by the wgpolicyk8s.io group.
type Wgpolicyk8sV1alpha1Client struct {
restClient rest.Interface
}
func (c *PolicyV1alpha1Client) ClusterPolicyReports() ClusterPolicyReportInterface {
func (c *Wgpolicyk8sV1alpha1Client) ClusterPolicyReports() ClusterPolicyReportInterface {
return newClusterPolicyReports(c)
}
func (c *PolicyV1alpha1Client) PolicyReports(namespace string) PolicyReportInterface {
func (c *Wgpolicyk8sV1alpha1Client) PolicyReports(namespace string) PolicyReportInterface {
return newPolicyReports(c, namespace)
}
// NewForConfig creates a new PolicyV1alpha1Client for the given config.
func NewForConfig(c *rest.Config) (*PolicyV1alpha1Client, error) {
// NewForConfig creates a new Wgpolicyk8sV1alpha1Client for the given config.
func NewForConfig(c *rest.Config) (*Wgpolicyk8sV1alpha1Client, error) {
config := *c
if err := setConfigDefaults(&config); err != nil {
return nil, err
@ -53,12 +53,12 @@ func NewForConfig(c *rest.Config) (*PolicyV1alpha1Client, error) {
if err != nil {
return nil, err
}
return &PolicyV1alpha1Client{client}, nil
return &Wgpolicyk8sV1alpha1Client{client}, nil
}
// NewForConfigOrDie creates a new PolicyV1alpha1Client for the given config and
// NewForConfigOrDie creates a new Wgpolicyk8sV1alpha1Client for the given config and
// panics if there is an error in the config.
func NewForConfigOrDie(c *rest.Config) *PolicyV1alpha1Client {
func NewForConfigOrDie(c *rest.Config) *Wgpolicyk8sV1alpha1Client {
client, err := NewForConfig(c)
if err != nil {
panic(err)
@ -66,9 +66,9 @@ func NewForConfigOrDie(c *rest.Config) *PolicyV1alpha1Client {
return client
}
// New creates a new PolicyV1alpha1Client for the given RESTClient.
func New(c rest.Interface) *PolicyV1alpha1Client {
return &PolicyV1alpha1Client{c}
// New creates a new Wgpolicyk8sV1alpha1Client for the given RESTClient.
func New(c rest.Interface) *Wgpolicyk8sV1alpha1Client {
return &Wgpolicyk8sV1alpha1Client{c}
}
func setConfigDefaults(config *rest.Config) error {
@ -86,7 +86,7 @@ func setConfigDefaults(config *rest.Config) error {
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *PolicyV1alpha1Client) RESTClient() rest.Interface {
func (c *Wgpolicyk8sV1alpha1Client) RESTClient() rest.Interface {
if c == nil {
return nil
}

4
pkg/client/informers/externalversions/factory.go
View file

@ -174,13 +174,13 @@ type SharedInformerFactory interface {
WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool
Kyverno() kyverno.Interface
Policy() policyreport.Interface
Wgpolicyk8s() policyreport.Interface
}
func (f *sharedInformerFactory) Kyverno() kyverno.Interface {
return kyverno.New(f, f.namespace, f.tweakListOptions)
}
func (f *sharedInformerFactory) Policy() policyreport.Interface {
func (f *sharedInformerFactory) Wgpolicyk8s() policyreport.Interface {
return policyreport.New(f, f.namespace, f.tweakListOptions)
}

6
pkg/client/informers/externalversions/generic.go
View file

@ -72,11 +72,11 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
case v1alpha1.SchemeGroupVersion.WithResource("reportchangerequests"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V1alpha1().ReportChangeRequests().Informer()}, nil
// Group=policy.k8s.io, Version=v1alpha1
// Group=wgpolicyk8s.io, Version=v1alpha1
case policyreportv1alpha1.SchemeGroupVersion.WithResource("clusterpolicyreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().ClusterPolicyReports().Informer()}, nil
return &genericInformer{resource: resource.GroupResource(), informer: f.Wgpolicyk8s().V1alpha1().ClusterPolicyReports().Informer()}, nil
case policyreportv1alpha1.SchemeGroupVersion.WithResource("policyreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().PolicyReports().Informer()}, nil
return &genericInformer{resource: resource.GroupResource(), informer: f.Wgpolicyk8s().V1alpha1().PolicyReports().Informer()}, nil
}

4
pkg/client/informers/externalversions/policyreport/v1alpha1/clusterpolicyreport.go
View file

@ -61,13 +61,13 @@ func NewFilteredClusterPolicyReportInformer(client versioned.Interface, resyncPe
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.PolicyV1alpha1().ClusterPolicyReports().List(context.TODO(), options)
return client.Wgpolicyk8sV1alpha1().ClusterPolicyReports().List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.PolicyV1alpha1().ClusterPolicyReports().Watch(context.TODO(), options)
return client.Wgpolicyk8sV1alpha1().ClusterPolicyReports().Watch(context.TODO(), options)
},
},
&policyreportv1alpha1.ClusterPolicyReport{},

4
pkg/client/informers/externalversions/policyreport/v1alpha1/policyreport.go
View file

@ -62,13 +62,13 @@ func NewFilteredPolicyReportInformer(client versioned.Interface, namespace strin
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.PolicyV1alpha1().PolicyReports(namespace).List(context.TODO(), options)
return client.Wgpolicyk8sV1alpha1().PolicyReports(namespace).List(context.TODO(), options)
},
WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
if tweakListOptions != nil {
tweakListOptions(&options)
}
return client.PolicyV1alpha1().PolicyReports(namespace).Watch(context.TODO(), options)
return client.Wgpolicyk8sV1alpha1().PolicyReports(namespace).Watch(context.TODO(), options)
},
},
&policyreportv1alpha1.PolicyReport{},

2
pkg/kyverno/apply/generate.go
View file

@ -84,7 +84,7 @@ func mergeClusterReport(reports []*unstructured.Unstructured) (*unstructured.Uns
res := &unstructured.Unstructured{}
res.SetName(clusterpolicyreport)
res.SetKind("ClusterPolicyReport")
res.SetAPIVersion("policy.k8s.io/v1alpha1")
res.SetAPIVersion(report.SchemeGroupVersion.String())
for _, report := range reports {
if report.GetNamespace() != "" {

10
pkg/kyverno/apply/generate_test.go
View file

@ -13,7 +13,7 @@ func Test_mergeClusterReport(t *testing.T) {
reports := []*unstructured.Unstructured{
{
Object: map[string]interface{}{
"apiVersion": "policy.k8s.io/v1alpha1",
"apiVersion": report.SchemeGroupVersion.String(),
"kind": "PolicyReport",
"metadata": map[string]interface{}{
"name": "ns-polr-1",
@ -30,7 +30,7 @@ func Test_mergeClusterReport(t *testing.T) {
},
{
Object: map[string]interface{}{
"apiVersion": "policy.k8s.io/v1alpha1",
"apiVersion": report.SchemeGroupVersion.String(),
"kind": "PolicyReport",
"metadata": map[string]interface{}{
"name": "ns-polr-2",
@ -60,7 +60,7 @@ func Test_mergeClusterReport(t *testing.T) {
},
{
Object: map[string]interface{}{
"apiVersion": "policy.k8s.io/v1alpha1",
"apiVersion": report.SchemeGroupVersion.String(),
"kind": "ClusterPolicyReport",
"metadata": map[string]interface{}{
"name": "cpolr-4",
@ -75,7 +75,7 @@ func Test_mergeClusterReport(t *testing.T) {
},
{
Object: map[string]interface{}{
"apiVersion": "policy.k8s.io/v1alpha1",
"apiVersion": report.SchemeGroupVersion.String(),
"kind": "ClusterPolicyReport",
"metadata": map[string]interface{}{
"name": "cpolr-5",
@ -114,7 +114,7 @@ func Test_mergeClusterReport(t *testing.T) {
cpolr, err := mergeClusterReport(reports)
assert.NilError(t, err)
assert.Assert(t, cpolr.GetAPIVersion() == "policy.k8s.io/v1alpha1", cpolr.GetAPIVersion())
assert.Assert(t, cpolr.GetAPIVersion() == report.SchemeGroupVersion.String(), cpolr.GetAPIVersion())
assert.Assert(t, cpolr.GetKind() == "ClusterPolicyReport", cpolr.GetKind())
entries, _, err := unstructured.NestedSlice(cpolr.UnstructuredContent(), "results")

4
pkg/kyverno/apply/report.go
View file

@ -27,7 +27,7 @@ func buildPolicyReports(resps []response.EngineResponse) (res []*unstructured.Un
if scope == clusterpolicyreport {
report := &report.ClusterPolicyReport{
TypeMeta: metav1.TypeMeta{
APIVersion: "policy.k8s.io/v1alpha1",
APIVersion: report.SchemeGroupVersion.String(),
Kind: "ClusterPolicyReport",
},
Results: result,
@ -41,7 +41,7 @@ func buildPolicyReports(resps []response.EngineResponse) (res []*unstructured.Un
} else {
report := &report.PolicyReport{
TypeMeta: metav1.TypeMeta{
APIVersion: "policy.k8s.io/v1alpha1",
APIVersion: report.SchemeGroupVersion.String(),
Kind: "PolicyReport",
},
Results: result,

16
pkg/policyreport/reportcontroller.go
View file

@ -464,23 +464,23 @@ func mergeRequests(ns *v1.Namespace, requestsGeneral interface{}) (*unstructured
return nil, nil, nil
}
func setReport(report *unstructured.Unstructured, ns *v1.Namespace) {
report.SetAPIVersion("policy.k8s.io/v1alpha1")
func setReport(reportUnstructured *unstructured.Unstructured, ns *v1.Namespace) {
reportUnstructured.SetAPIVersion(report.SchemeGroupVersion.String())
if ns == nil {
report.SetName(generatePolicyReportName(""))
report.SetKind("ClusterPolicyReport")
reportUnstructured.SetName(generatePolicyReportName(""))
reportUnstructured.SetKind("ClusterPolicyReport")
return
}
report.SetName(generatePolicyReportName(ns.GetName()))
report.SetNamespace(ns.GetName())
report.SetKind("PolicyReport")
reportUnstructured.SetName(generatePolicyReportName(ns.GetName()))
reportUnstructured.SetNamespace(ns.GetName())
reportUnstructured.SetKind("PolicyReport")
controllerFlag := true
blockOwnerDeletionFlag := true
report.SetOwnerReferences([]metav1.OwnerReference{
reportUnstructured.SetOwnerReferences([]metav1.OwnerReference{
{
APIVersion: "v1",
Kind: "Namespace",