diff --git a/Makefile b/Makefile
index 27201adb39..40780083d1 100644
--- a/Makefile
+++ b/Makefile
@@ -169,10 +169,6 @@ godownloader:
# kustomize-crd will create install.yaml
kustomize-crd:
- # Create CRD for helm deployment Helm
- curl -o ./definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml https://raw.githubusercontent.com/kubernetes-sigs/wg-policy-prototypes/master/policy-report/crd/policy.kubernetes.io_clusterpolicyreports.yaml
- curl -o ./definitions/crds/policy.kubernetes.io_policyreports.yaml https://raw.githubusercontent.com/kubernetes-sigs/wg-policy-prototypes/master/policy-report/crd/policy.kubernetes.io_policyreports.yaml
-
# Create CRD for helm deployment Helm
kustomize build ./definitions/crds > ./charts/kyverno/crds/crds.yaml
# Generate install.yaml that have all resources for kyverno
@@ -185,6 +181,27 @@ release:
kustomize build ./definitions > ./definitions/install.yaml
kustomize build ./definitions > ./definitions/release/install.yaml
+report-crd: controller-gen
+ $(CONTROLLER_GEN) crd:trivialVersions=true paths="./pkg/api/policyreport/v1alpha1" output:dir=./definitions/crds
+ $(CONTROLLER_GEN) object paths=./pkg/api/policyreport/v1alpha1
+
+# find or download controller-gen
+# download controller-gen if necessary
+controller-gen:
+ifeq (, $(shell which controller-gen))
+ @{ \
+ set -e ;\
+ CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
+ cd $$CONTROLLER_GEN_TMP_DIR ;\
+ go mod init tmp ;\
+ go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.5 ;\
+ rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
+ }
+CONTROLLER_GEN=$(GOBIN)/controller-gen
+else
+CONTROLLER_GEN=$(shell which controller-gen)
+endif
+
# Run go fmt against code
fmt:
go fmt ./...
diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml
index 614130f502..ff54310a17 100644
--- a/charts/kyverno/crds/crds.yaml
+++ b/charts/kyverno/crds/crds.yaml
@@ -275,7 +275,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:
additionalPrinterColumns:
@@ -338,6 +339,9 @@ spec:
description: PolicyReportResult provides the result for an individual
policy
properties:
+ category:
+ description: Category indicates policy category
+ type: string
data:
additionalProperties:
type: string
@@ -468,6 +472,13 @@ spec:
scored:
description: Scored indicates if this policy rule is scored
type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
status:
description: Status indicates the result of the policy rule check
enum:
@@ -482,9 +493,8 @@ spec:
type: object
type: array
scope:
- description: Scope is an optional reference to the policy report scope.
- For example. the report may be for all resources in a namespace, a for
- a node, or cluster-wide.
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
@@ -676,6 +686,344 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: clusterreportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ClusterReportRequest
+ listKind: ClusterReportRequestList
+ plural: clusterreportrequests
+ singular: clusterreportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ClusterReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
@@ -1001,7 +1349,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
additionalPrinterColumns:
@@ -1063,6 +1412,9 @@ spec:
description: PolicyReportResult provides the result for an individual
policy
properties:
+ category:
+ description: Category indicates policy category
+ type: string
data:
additionalProperties:
type: string
@@ -1193,6 +1545,13 @@ spec:
scored:
description: Scored indicates if this policy rule is scored
type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
status:
description: Status indicates the result of the policy rule check
enum:
@@ -1397,3 +1756,341 @@ spec:
- name: v1
served: true
storage: true
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: reportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ReportRequest
+ listKind: ReportRequestList
+ plural: reportrequests
+ singular: reportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/definitions/crds/crds.yaml b/definitions/crds/crds.yaml
index c78f744f88..4efe95fb44 100755
--- a/definitions/crds/crds.yaml
+++ b/definitions/crds/crds.yaml
@@ -739,663 +739,3 @@ spec:
type: string
namespace:
type: string
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
- name: clusterpolicyreports.policy.kubernetes.io
-spec:
- additionalPrinterColumns:
- - JSONPath: .scope.kind
- name: Kind
- priority: 1
- type: string
- - JSONPath: .scope.name
- name: Name
- priority: 1
- type: string
- - JSONPath: .summary.pass
- name: Pass
- type: integer
- - JSONPath: .summary.fail
- name: Fail
- type: integer
- - JSONPath: .summary.warn
- name: Warn
- type: integer
- - JSONPath: .summary.error
- name: Error
- type: integer
- - JSONPath: .summary.skip
- name: Skip
- type: integer
- - JSONPath: .metadata.creationTimestamp
- name: Age
- type: date
- group: policy.kubernetes.io
- names:
- kind: ClusterPolicyReport
- listKind: ClusterPolicyReportList
- plural: clusterpolicyreports
- singular: clusterpolicyreport
- shortNames:
- - cpolr
- scope: Namespaced
- subresources: {}
- validation:
- openAPIV3Schema:
- description: ClusterPolicyReport is the Schema for the clusterpolicyreports
- API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- results:
- description: PolicyReportResult provides result details
- items:
- description: PolicyReportResult provides the result for an individual
- policy
- properties:
- data:
- additionalProperties:
- type: string
- description: Data provides additional information for the policy rule
- type: object
- message:
- description: Message is a short user friendly description of the policy
- rule
- type: string
- policy:
- description: Policy is the name of the policy
- type: string
- resourceSelector:
- description: ResourceSelector is an optional selector for policy results
- that apply to multiple resources. For example, a policy result may
- apply to all pods that match a label. Either a Resource or a ResourceSelector
- can be specified. If neither are provided, the result is assumed
- to be for the policy report scope.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the key
- and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: operator represents a key's relationship to
- a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
- type: object
- type: object
- resources:
- description: Resources is an optional reference to the resource checked
- by the policy and rule
- items:
- description: 'ObjectReference contains enough information to let
- you inspect or modify the referred object. --- New uses of this
- type are discouraged because of difficulty describing its usage
- when embedded in APIs. 1. Ignored fields. It includes many fields
- which are not generally honored. For instance, ResourceVersion
- and FieldPath are both very rarely valid in actual usage. 2.
- Invalid usage help. It is impossible to add specific help for
- individual usage. In most embedded usages, there are particular restrictions
- like, "must refer only to types A and B" or "UID not honored"
- or "name must be restricted". Those cannot be well described
- when embedded. 3. Inconsistent validation. Because the usages
- are different, the validation rules are different by usage, which
- makes it hard for users to predict what will happen. 4. The fields
- are both imprecise and overly precise. Kind is not a precise
- mapping to a URL. This can produce ambiguity during interpretation
- and require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this type will
- affect numerous schemas. Don''t make new APIs embed an underspecified
- API type they do not control. Instead of using this type, create
- a locally provided and used type that is well-focused on your
- reference. For example, ServiceReferences for admission registration:
- https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- .'
- properties:
- apiVersion:
- description: API version of the referent.
- type: string
- fieldPath:
- description: 'If referring to a piece of an object instead of
- an entire object, this string should contain a valid JSON/Go
- field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container within
- a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that triggered
- the event) or if no container name is specified "spec.containers[2]"
- (container with index 2 in this pod). This syntax is chosen
- only to have some well-defined way of referencing a part of
- an object. TODO: this design is not final and this field is
- subject to change in the future.'
- type: string
- kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
- type: string
- resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
- type: string
- uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
- type: string
- type: object
- type: array
- rule:
- description: Rule is the name of the policy rule
- type: string
- scored:
- description: Scored indicates if this policy rule is scored
- type: boolean
- status:
- description: Status indicates the result of the policy rule check
- enum:
- - Pass
- - Fail
- - Warn
- - Error
- - Skip
- type: string
- required:
- - policy
- type: object
- type: array
- scope:
- description: Scope is an optional reference to the policy report scope.
- For example. the report may be for all resources in a namespace, a for
- a node, or cluster-wide.
- properties:
- apiVersion:
- description: API version of the referent.
- type: string
- fieldPath:
- description: 'If referring to a piece of an object instead of an entire
- object, this string should contain a valid JSON/Go field access statement,
- such as desiredState.manifest.containers[2]. For example, if the object
- reference is to a container within a pod, this would take on a value
- like: "spec.containers{name}" (where "name" refers to the name of
- the container that triggered the event) or if no container name is
- specified "spec.containers[2]" (container with index 2 in this pod).
- This syntax is chosen only to have some well-defined way of referencing
- a part of an object. TODO: this design is not final and this field
- is subject to change in the future.'
- type: string
- kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
- type: string
- resourceVersion:
- description: 'Specific resourceVersion to which this reference is made,
- if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
- type: string
- uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
- type: string
- type: object
- scopeSelector:
- description: ScopeSelector is an optional selector for multiple scopes (e.g.
- Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
- should be specified.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: A label selector requirement is a selector that contains
- values, a key, and an operator that relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set
- of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator
- is In or NotIn, the values array must be non-empty. If the operator
- is Exists or DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In", and the values array
- contains only "value". The requirements are ANDed.
- type: object
- type: object
- summary:
- description: PolicyReportSummary provides a summary of results
- properties:
- error:
- description: Error provides the count of policies that could not be
- evaluated
- type: integer
- fail:
- description: Fail provides the count of policies whose requirements
- were not met
- type: integer
- pass:
- description: Pass provides the count of policies whose requirements
- were met
- type: integer
- skip:
- description: Skip indicates the count of policies that were not selected
- for evaluation
- type: integer
- warn:
- description: Warn provides the count of unscored policies whose requirements
- were not met
- type: integer
- required:
- - error
- - fail
- - pass
- - skip
- - warn
- type: object
- type: object
- version: v1alpha1
- versions:
- - name: v1alpha1
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
- name: policyreports.policy.kubernetes.io
-spec:
- additionalPrinterColumns:
- - JSONPath: .scope.kind
- name: Kind
- priority: 1
- type: string
- - JSONPath: .scope.name
- name: Name
- priority: 1
- type: string
- - JSONPath: .summary.pass
- name: Pass
- type: integer
- - JSONPath: .summary.fail
- name: Fail
- type: integer
- - JSONPath: .summary.warn
- name: Warn
- type: integer
- - JSONPath: .summary.error
- name: Error
- type: integer
- - JSONPath: .summary.skip
- name: Skip
- type: integer
- - JSONPath: .metadata.creationTimestamp
- name: Age
- type: date
- group: policy.kubernetes.io
- names:
- kind: PolicyReport
- listKind: PolicyReportList
- plural: policyreports
- singular: policyreport
- shortNames:
- - polr
- scope: Namespaced
- subresources: {}
- validation:
- openAPIV3Schema:
- description: PolicyReport is the Schema for the policyreports API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- results:
- description: PolicyReportResult provides result details
- items:
- description: PolicyReportResult provides the result for an individual
- policy
- properties:
- data:
- additionalProperties:
- type: string
- description: Data provides additional information for the policy rule
- type: object
- message:
- description: Message is a short user friendly description of the policy
- rule
- type: string
- policy:
- description: Policy is the name of the policy
- type: string
- resourceSelector:
- description: ResourceSelector is an optional selector for policy results
- that apply to multiple resources. For example, a policy result may
- apply to all pods that match a label. Either a Resource or a ResourceSelector
- can be specified. If neither are provided, the result is assumed
- to be for the policy report scope.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: A label selector requirement is a selector that
- contains values, a key, and an operator that relates the key
- and values.
- properties:
- key:
- description: key is the label key that the selector applies
- to.
- type: string
- operator:
- description: operator represents a key's relationship to
- a set of values. Valid operators are In, NotIn, Exists
- and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the
- operator is In or NotIn, the values array must be non-empty.
- If the operator is Exists or DoesNotExist, the values
- array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value} pairs. A single
- {key,value} in the matchLabels map is equivalent to an element
- of matchExpressions, whose key field is "key", the operator
- is "In", and the values array contains only "value". The requirements
- are ANDed.
- type: object
- type: object
- resources:
- description: Resources is an optional reference to the resource checked
- by the policy and rule
- items:
- description: 'ObjectReference contains enough information to let
- you inspect or modify the referred object. --- New uses of this
- type are discouraged because of difficulty describing its usage
- when embedded in APIs. 1. Ignored fields. It includes many fields
- which are not generally honored. For instance, ResourceVersion
- and FieldPath are both very rarely valid in actual usage. 2.
- Invalid usage help. It is impossible to add specific help for
- individual usage. In most embedded usages, there are particular restrictions
- like, "must refer only to types A and B" or "UID not honored"
- or "name must be restricted". Those cannot be well described
- when embedded. 3. Inconsistent validation. Because the usages
- are different, the validation rules are different by usage, which
- makes it hard for users to predict what will happen. 4. The fields
- are both imprecise and overly precise. Kind is not a precise
- mapping to a URL. This can produce ambiguity during interpretation
- and require a REST mapping. In most cases, the dependency is
- on the group,resource tuple and the version of the actual
- struct is irrelevant. 5. We cannot easily change it. Because
- this type is embedded in many locations, updates to this type will
- affect numerous schemas. Don''t make new APIs embed an underspecified
- API type they do not control. Instead of using this type, create
- a locally provided and used type that is well-focused on your
- reference. For example, ServiceReferences for admission registration:
- https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
- .'
- properties:
- apiVersion:
- description: API version of the referent.
- type: string
- fieldPath:
- description: 'If referring to a piece of an object instead of
- an entire object, this string should contain a valid JSON/Go
- field access statement, such as desiredState.manifest.containers[2].
- For example, if the object reference is to a container within
- a pod, this would take on a value like: "spec.containers{name}"
- (where "name" refers to the name of the container that triggered
- the event) or if no container name is specified "spec.containers[2]"
- (container with index 2 in this pod). This syntax is chosen
- only to have some well-defined way of referencing a part of
- an object. TODO: this design is not final and this field is
- subject to change in the future.'
- type: string
- kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
- type: string
- resourceVersion:
- description: 'Specific resourceVersion to which this reference
- is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
- type: string
- uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
- type: string
- type: object
- type: array
- rule:
- description: Rule is the name of the policy rule
- type: string
- scored:
- description: Scored indicates if this policy rule is scored
- type: boolean
- status:
- description: Status indicates the result of the policy rule check
- enum:
- - Pass
- - Fail
- - Warn
- - Error
- - Skip
- type: string
- required:
- - policy
- type: object
- type: array
- scope:
- description: Scope is an optional reference to the report scope (e.g. a
- Deployment, Namespace, or Node)
- properties:
- apiVersion:
- description: API version of the referent.
- type: string
- fieldPath:
- description: 'If referring to a piece of an object instead of an entire
- object, this string should contain a valid JSON/Go field access statement,
- such as desiredState.manifest.containers[2]. For example, if the object
- reference is to a container within a pod, this would take on a value
- like: "spec.containers{name}" (where "name" refers to the name of
- the container that triggered the event) or if no container name is
- specified "spec.containers[2]" (container with index 2 in this pod).
- This syntax is chosen only to have some well-defined way of referencing
- a part of an object. TODO: this design is not final and this field
- is subject to change in the future.'
- type: string
- kind:
- description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- name:
- description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
- type: string
- namespace:
- description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
- type: string
- resourceVersion:
- description: 'Specific resourceVersion to which this reference is made,
- if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
- type: string
- uid:
- description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
- type: string
- type: object
- scopeSelector:
- description: ScopeSelector is an optional selector for multiple scopes (e.g.
- Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
- should be specified.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements.
- The requirements are ANDed.
- items:
- description: A label selector requirement is a selector that contains
- values, a key, and an operator that relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: operator represents a key's relationship to a set
- of values. Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: values is an array of string values. If the operator
- is In or NotIn, the values array must be non-empty. If the operator
- is Exists or DoesNotExist, the values array must be empty. This
- array is replaced during a strategic merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: matchLabels is a map of {key,value} pairs. A single {key,value}
- in the matchLabels map is equivalent to an element of matchExpressions,
- whose key field is "key", the operator is "In", and the values array
- contains only "value". The requirements are ANDed.
- type: object
- type: object
- summary:
- description: PolicyReportSummary provides a summary of results
- properties:
- error:
- description: Error provides the count of policies that could not be
- evaluated
- type: integer
- fail:
- description: Fail provides the count of policies whose requirements
- were not met
- type: integer
- pass:
- description: Pass provides the count of policies whose requirements
- were met
- type: integer
- skip:
- description: Skip indicates the count of policies that were not selected
- for evaluation
- type: integer
- warn:
- description: Warn provides the count of unscored policies whose requirements
- were not met
- type: integer
- required:
- - error
- - fail
- - pass
- - skip
- - warn
- type: object
- type: object
- version: v1alpha1
- versions:
- - name: v1alpha1
- served: true
- storage: true
-status:
- acceptedNames:
- kind: ""
- plural: ""
- conditions: []
- storedVersions: []
diff --git a/definitions/crds/kustomization.yaml b/definitions/crds/kustomization.yaml
index 8adb7f06ef..819b5c5dc0 100755
--- a/definitions/crds/kustomization.yaml
+++ b/definitions/crds/kustomization.yaml
@@ -2,4 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ./crds.yaml
\ No newline at end of file
+- ./crds.yaml
+- ./policy.kubernetes.io_clusterpolicyreports.yaml
+- ./policy.kubernetes.io_policyreports.yaml
+- ./policy.kubernetes.io_clusterreportrequests.yaml
+- ./policy.kubernetes.io_reportrequests.yaml
\ No newline at end of file
diff --git a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
index af3e968146..43d31a031c 100644
--- a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
+++ b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
@@ -40,6 +40,8 @@ spec:
kind: ClusterPolicyReport
listKind: ClusterPolicyReportList
plural: clusterpolicyreports
+ shortNames:
+ - cpolr
singular: clusterpolicyreport
scope: Namespaced
subresources: {}
@@ -220,9 +222,8 @@ spec:
type: object
type: array
scope:
- description: Scope is an optional reference to the policy report scope.
- For example. the report may be for all resources in a namespace, a for
- a node, or cluster-wide.
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
diff --git a/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml b/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml
new file mode 100644
index 0000000000..dd7c2219c8
--- /dev/null
+++ b/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml
@@ -0,0 +1,339 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: clusterreportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ClusterReportRequest
+ listKind: ClusterReportRequestList
+ plural: clusterreportrequests
+ singular: clusterreportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ClusterReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/definitions/crds/policy.kubernetes.io_policyreports.yaml b/definitions/crds/policy.kubernetes.io_policyreports.yaml
index b5b520d093..fdc9b32a3f 100644
--- a/definitions/crds/policy.kubernetes.io_policyreports.yaml
+++ b/definitions/crds/policy.kubernetes.io_policyreports.yaml
@@ -40,6 +40,8 @@ spec:
kind: PolicyReport
listKind: PolicyReportList
plural: policyreports
+ shortNames:
+ - polr
singular: policyreport
scope: Namespaced
subresources: {}
diff --git a/definitions/crds/policy.kubernetes.io_reportrequests.yaml b/definitions/crds/policy.kubernetes.io_reportrequests.yaml
new file mode 100644
index 0000000000..f966ad7c08
--- /dev/null
+++ b/definitions/crds/policy.kubernetes.io_reportrequests.yaml
@@ -0,0 +1,339 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: reportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ReportRequest
+ listKind: ReportRequestList
+ plural: reportrequests
+ singular: reportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
diff --git a/definitions/install.yaml b/definitions/install.yaml
index c04416cf19..540edadb23 100755
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -280,7 +280,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:
additionalPrinterColumns:
@@ -343,6 +344,9 @@ spec:
description: PolicyReportResult provides the result for an individual
policy
properties:
+ category:
+ description: Category indicates policy category
+ type: string
data:
additionalProperties:
type: string
@@ -473,6 +477,13 @@ spec:
scored:
description: Scored indicates if this policy rule is scored
type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
status:
description: Status indicates the result of the policy rule check
enum:
@@ -487,9 +498,8 @@ spec:
type: object
type: array
scope:
- description: Scope is an optional reference to the policy report scope.
- For example. the report may be for all resources in a namespace, a for
- a node, or cluster-wide.
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
@@ -681,6 +691,344 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: clusterreportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ClusterReportRequest
+ listKind: ClusterReportRequestList
+ plural: clusterreportrequests
+ singular: clusterreportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ClusterReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
@@ -1006,7 +1354,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
additionalPrinterColumns:
@@ -1068,6 +1417,9 @@ spec:
description: PolicyReportResult provides the result for an individual
policy
properties:
+ category:
+ description: Category indicates policy category
+ type: string
data:
additionalProperties:
type: string
@@ -1198,6 +1550,13 @@ spec:
scored:
description: Scored indicates if this policy rule is scored
type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
status:
description: Status indicates the result of the policy rule check
enum:
@@ -1403,6 +1762,344 @@ spec:
served: true
storage: true
---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: reportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ReportRequest
+ listKind: ReportRequestList
+ plural: reportrequests
+ singular: reportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
apiVersion: v1
kind: ServiceAccount
metadata:
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index ec17d89f32..1d1f1d8e5d 100755
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -280,7 +280,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
name: clusterpolicyreports.policy.kubernetes.io
spec:
additionalPrinterColumns:
@@ -343,6 +344,9 @@ spec:
description: PolicyReportResult provides the result for an individual
policy
properties:
+ category:
+ description: Category indicates policy category
+ type: string
data:
additionalProperties:
type: string
@@ -473,6 +477,13 @@ spec:
scored:
description: Scored indicates if this policy rule is scored
type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
status:
description: Status indicates the result of the policy rule check
enum:
@@ -487,9 +498,8 @@ spec:
type: object
type: array
scope:
- description: Scope is an optional reference to the policy report scope.
- For example. the report may be for all resources in a namespace, a for
- a node, or cluster-wide.
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
properties:
apiVersion:
description: API version of the referent.
@@ -681,6 +691,344 @@ spec:
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: clusterreportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ClusterReportRequest
+ listKind: ClusterReportRequestList
+ plural: clusterreportrequests
+ singular: clusterreportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ClusterReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
metadata:
name: generaterequests.kyverno.io
spec:
@@ -1006,7 +1354,8 @@ apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.2.4
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
name: policyreports.policy.kubernetes.io
spec:
additionalPrinterColumns:
@@ -1068,6 +1417,9 @@ spec:
description: PolicyReportResult provides the result for an individual
policy
properties:
+ category:
+ description: Category indicates policy category
+ type: string
data:
additionalProperties:
type: string
@@ -1198,6 +1550,13 @@ spec:
scored:
description: Scored indicates if this policy rule is scored
type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
status:
description: Status indicates the result of the policy rule check
enum:
@@ -1403,6 +1762,344 @@ spec:
served: true
storage: true
---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.2.5
+ creationTimestamp: null
+ name: reportrequests.policy.kubernetes.io
+spec:
+ additionalPrinterColumns:
+ - JSONPath: .scope.kind
+ name: Kind
+ priority: 1
+ type: string
+ - JSONPath: .scope.name
+ name: Name
+ priority: 1
+ type: string
+ - JSONPath: .summary.pass
+ name: Pass
+ type: integer
+ - JSONPath: .summary.fail
+ name: Fail
+ type: integer
+ - JSONPath: .summary.warn
+ name: Warn
+ type: integer
+ - JSONPath: .summary.error
+ name: Error
+ type: integer
+ - JSONPath: .summary.skip
+ name: Skip
+ type: integer
+ - JSONPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ group: policy.kubernetes.io
+ names:
+ kind: ReportRequest
+ listKind: ReportRequestList
+ plural: reportrequests
+ singular: reportrequest
+ scope: Namespaced
+ subresources: {}
+ validation:
+ openAPIV3Schema:
+ description: ReportRequest is the Schema for the reportrequests API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ results:
+ description: PolicyReportResult provides result details
+ items:
+ description: PolicyReportResult provides the result for an individual
+ policy
+ properties:
+ category:
+ description: Category indicates policy category
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: Data provides additional information for the policy rule
+ type: object
+ message:
+ description: Message is a short user friendly description of the policy
+ rule
+ type: string
+ policy:
+ description: Policy is the name of the policy
+ type: string
+ resourceSelector:
+ description: ResourceSelector is an optional selector for policy results
+ that apply to multiple resources. For example, a policy result may
+ apply to all pods that match a label. Either a Resource or a ResourceSelector
+ can be specified. If neither are provided, the result is assumed
+ to be for the policy report scope.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
+ resources:
+ description: Resources is an optional reference to the resource checked
+ by the policy and rule
+ items:
+ description: 'ObjectReference contains enough information to let
+ you inspect or modify the referred object. --- New uses of this
+ type are discouraged because of difficulty describing its usage
+ when embedded in APIs. 1. Ignored fields. It includes many fields
+ which are not generally honored. For instance, ResourceVersion
+ and FieldPath are both very rarely valid in actual usage. 2.
+ Invalid usage help. It is impossible to add specific help for
+ individual usage. In most embedded usages, there are particular restrictions
+ like, "must refer only to types A and B" or "UID not honored"
+ or "name must be restricted". Those cannot be well described
+ when embedded. 3. Inconsistent validation. Because the usages
+ are different, the validation rules are different by usage, which
+ makes it hard for users to predict what will happen. 4. The fields
+ are both imprecise and overly precise. Kind is not a precise
+ mapping to a URL. This can produce ambiguity during interpretation
+ and require a REST mapping. In most cases, the dependency is
+ on the group,resource tuple and the version of the actual
+ struct is irrelevant. 5. We cannot easily change it. Because
+ this type is embedded in many locations, updates to this type will
+ affect numerous schemas. Don''t make new APIs embed an underspecified
+ API type they do not control. Instead of using this type, create
+ a locally provided and used type that is well-focused on your
+ reference. For example, ServiceReferences for admission registration:
+ https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
+ .'
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of
+ an entire object, this string should contain a valid JSON/Go
+ field access statement, such as desiredState.manifest.containers[2].
+ For example, if the object reference is to a container within
+ a pod, this would take on a value like: "spec.containers{name}"
+ (where "name" refers to the name of the container that triggered
+ the event) or if no container name is specified "spec.containers[2]"
+ (container with index 2 in this pod). This syntax is chosen
+ only to have some well-defined way of referencing a part of
+ an object. TODO: this design is not final and this field is
+ subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference
+ is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ type: array
+ rule:
+ description: Rule is the name of the policy rule
+ type: string
+ scored:
+ description: Scored indicates if this policy rule is scored
+ type: boolean
+ severity:
+ description: Severity indicates policy severity
+ enum:
+ - High
+ - Low
+ - Medium
+ type: string
+ status:
+ description: Status indicates the result of the policy rule check
+ enum:
+ - Pass
+ - Fail
+ - Warn
+ - Error
+ - Skip
+ type: string
+ required:
+ - policy
+ type: object
+ type: array
+ scope:
+ description: Scope is an optional reference to the report scope (e.g. a
+ Deployment, Namespace, or Node)
+ properties:
+ apiVersion:
+ description: API version of the referent.
+ type: string
+ fieldPath:
+ description: 'If referring to a piece of an object instead of an entire
+ object, this string should contain a valid JSON/Go field access statement,
+ such as desiredState.manifest.containers[2]. For example, if the object
+ reference is to a container within a pod, this would take on a value
+ like: "spec.containers{name}" (where "name" refers to the name of
+ the container that triggered the event) or if no container name is
+ specified "spec.containers[2]" (container with index 2 in this pod).
+ This syntax is chosen only to have some well-defined way of referencing
+ a part of an object. TODO: this design is not final and this field
+ is subject to change in the future.'
+ type: string
+ kind:
+ description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ name:
+ description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+ type: string
+ namespace:
+ description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+ type: string
+ resourceVersion:
+ description: 'Specific resourceVersion to which this reference is made,
+ if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+ type: string
+ uid:
+ description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+ type: string
+ type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ summary:
+ description: PolicyReportSummary provides a summary of results
+ properties:
+ error:
+ description: Error provides the count of policies that could not be
+ evaluated
+ type: integer
+ fail:
+ description: Fail provides the count of policies whose requirements
+ were not met
+ type: integer
+ pass:
+ description: Pass provides the count of policies whose requirements
+ were met
+ type: integer
+ skip:
+ description: Skip indicates the count of policies that were not selected
+ for evaluation
+ type: integer
+ warn:
+ description: Warn provides the count of unscored policies whose requirements
+ were not met
+ type: integer
+ required:
+ - error
+ - fail
+ - pass
+ - skip
+ - warn
+ type: object
+ type: object
+ version: v1alpha1
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: []
+ storedVersions: []
+---
apiVersion: v1
kind: ServiceAccount
metadata:
diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go
index d0581e4d39..002d0ad161 100755
--- a/pkg/api/kyverno/v1/types.go
+++ b/pkg/api/kyverno/v1/types.go
@@ -193,7 +193,7 @@ type Rule struct {
}
type ContextEntry struct {
- Name string `json:"name,omitempty" yaml:"name,omitempty"`
+ Name string `json:"name,omitempty" yaml:"name,omitempty"`
ConfigMap *ConfigMapReference `json:"configMap,omitempty" yaml:"configMap,omitempty"`
}
diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
index 17d4f37930..d798b88bcc 100755
--- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go
@@ -193,7 +193,11 @@ func (in *ConfigMapReference) DeepCopy() *ConfigMapReference {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
*out = *in
- out.ConfigMap = in.ConfigMap
+ if in.ConfigMap != nil {
+ in, out := &in.ConfigMap, &out.ConfigMap
+ *out = new(ConfigMapReference)
+ **out = **in
+ }
return
}
@@ -689,6 +693,13 @@ func (in *ResourceSpec) DeepCopy() *ResourceSpec {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Rule) DeepCopyInto(out *Rule) {
*out = *in
+ if in.Context != nil {
+ in, out := &in.Context, &out.Context
+ *out = make([]ContextEntry, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
in.MatchResources.DeepCopyInto(&out.MatchResources)
in.ExcludeResources.DeepCopyInto(&out.ExcludeResources)
if in.Conditions != nil {
@@ -701,11 +712,6 @@ func (in *Rule) DeepCopyInto(out *Rule) {
in.Mutation.DeepCopyInto(&out.Mutation)
in.Validation.DeepCopyInto(&out.Validation)
in.Generation.DeepCopyInto(&out.Generation)
- if in.Context != nil {
- in, out := &in.Context, &out.Context
- *out = make([]ContextEntry, len(*in))
- copy(*out, *in)
- }
return
}
diff --git a/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go b/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go
index ac149016f2..d4633568af 100755
--- a/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go
+++ b/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go
@@ -36,6 +36,7 @@ import (
// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:resource:shortName=cpolr
// ClusterPolicyReport is the Schema for the clusterpolicyreports API
type ClusterPolicyReport struct {
diff --git a/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go b/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go
new file mode 100644
index 0000000000..3d66f676ad
--- /dev/null
+++ b/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go
@@ -0,0 +1,73 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
+// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail`
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn`
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// ClusterReportRequest is the Schema for the reportrequests API
+type ClusterReportRequest struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)
+ // +optional
+ Scope *corev1.ObjectReference `json:"scope,omitempty"`
+
+ // ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
+ // Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+ // +optional
+ ScopeSelector *metav1.LabelSelector `json:"scopeSelector,omitempty"`
+
+ // PolicyReportSummary provides a summary of results
+ // +optional
+ Summary PolicyReportSummary `json:"summary,omitempty"`
+
+ // PolicyReportResult provides result details
+ // +optional
+ Results []*PolicyReportResult `json:"results,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ClusterReportRequestList contains a list of ClusterReportRequest
+type ClusterReportRequestList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []ClusterReportRequest `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&ClusterReportRequest{}, &ClusterReportRequestList{})
+}
diff --git a/pkg/api/policyreport/v1alpha1/policyreport_types.go b/pkg/api/policyreport/v1alpha1/policyreport_types.go
index 0540abbd97..40df0fa3c7 100755
--- a/pkg/api/policyreport/v1alpha1/policyreport_types.go
+++ b/pkg/api/policyreport/v1alpha1/policyreport_types.go
@@ -1,12 +1,9 @@
/*
Copyright 2020 The Kubernetes authors.
-
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
http://www.apache.org/licenses/LICENSE-2.0
-
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -58,7 +55,14 @@ type PolicyReportSummary struct {
// +kubebuilder:validation:Enum=Pass;Fail;Warn;Error;Skip
type PolicyStatus string
-// PolicyReportResult provides the result for an individual policy or rule
+// PolicySeverity has one of the following values:
+// - High
+// - Low
+// - Medium
+// +kubebuilder:validation:Enum=High;Low;Medium
+type PolicySeverity string
+
+// PolicyReportResult provides the result for an individual policy
type PolicyReportResult struct {
// Policy is the name of the policy
@@ -72,6 +76,13 @@ type PolicyReportResult struct {
// +optional
Resources []*corev1.ObjectReference `json:"resources,omitempty"`
+ // ResourceSelector is an optional selector for policy results that apply to multiple resources.
+ // For example, a policy result may apply to all pods that match a label.
+ // Either a Resource or a ResourceSelector can be specified. If neither are provided, the
+ // result is assumed to be for the policy report scope.
+ // +optional
+ ResourceSelector *metav1.LabelSelector `json:"resourceSelector,omitempty"`
+
// Message is a short user friendly description of the policy rule
Message string `json:"message,omitempty"`
@@ -83,6 +94,14 @@ type PolicyReportResult struct {
// Data provides additional information for the policy rule
Data map[string]string `json:"data,omitempty"`
+
+ // Category indicates policy category
+ // +optional
+ Category string `json:"category,omitempty"`
+
+ // Severity indicates policy severity
+ // +optional
+ Severity PolicySeverity `json:"severity,omitempty"`
}
// +genclient
@@ -96,6 +115,7 @@ type PolicyReportResult struct {
// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:resource:shortName=polr
// PolicyReport is the Schema for the policyreports API
type PolicyReport struct {
diff --git a/pkg/api/policyreport/v1alpha1/reportrequest_types.go b/pkg/api/policyreport/v1alpha1/reportrequest_types.go
new file mode 100644
index 0000000000..a73cc9dff7
--- /dev/null
+++ b/pkg/api/policyreport/v1alpha1/reportrequest_types.go
@@ -0,0 +1,73 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized.
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
+// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail`
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn`
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// ReportRequest is the Schema for the reportrequests API
+type ReportRequest struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node)
+ // +optional
+ Scope *corev1.ObjectReference `json:"scope,omitempty"`
+
+ // ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
+ // Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+ // +optional
+ ScopeSelector *metav1.LabelSelector `json:"scopeSelector,omitempty"`
+
+ // PolicyReportSummary provides a summary of results
+ // +optional
+ Summary PolicyReportSummary `json:"summary,omitempty"`
+
+ // PolicyReportResult provides result details
+ // +optional
+ Results []*PolicyReportResult `json:"results,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// ReportRequestList contains a list of ReportRequest
+type ReportRequestList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata,omitempty"`
+ Items []ReportRequest `json:"items"`
+}
+
+func init() {
+ SchemeBuilder.Register(&ReportRequest{}, &ReportRequestList{})
+}
diff --git a/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go b/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go
index 70b1417e28..c198c184e6 100644
--- a/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go
@@ -1,27 +1,11 @@
// +build !ignore_autogenerated
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by deepcopy-gen. DO NOT EDIT.
+// Code generated by controller-gen. DO NOT EDIT.
package v1alpha1
import (
- v1 "k8s.io/api/core/v1"
+ "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -53,7 +37,6 @@ func (in *ClusterPolicyReport) DeepCopyInto(out *ClusterPolicyReport) {
}
}
}
- return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReport.
@@ -86,7 +69,6 @@ func (in *ClusterPolicyReportList) DeepCopyInto(out *ClusterPolicyReportList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
- return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReportList.
@@ -107,6 +89,85 @@ func (in *ClusterPolicyReportList) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterReportRequest) DeepCopyInto(out *ClusterReportRequest) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ if in.Scope != nil {
+ in, out := &in.Scope, &out.Scope
+ *out = new(v1.ObjectReference)
+ **out = **in
+ }
+ if in.ScopeSelector != nil {
+ in, out := &in.ScopeSelector, &out.ScopeSelector
+ *out = new(metav1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ out.Summary = in.Summary
+ if in.Results != nil {
+ in, out := &in.Results, &out.Results
+ *out = make([]*PolicyReportResult, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(PolicyReportResult)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportRequest.
+func (in *ClusterReportRequest) DeepCopy() *ClusterReportRequest {
+ if in == nil {
+ return nil
+ }
+ out := new(ClusterReportRequest)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterReportRequest) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterReportRequestList) DeepCopyInto(out *ClusterReportRequestList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]ClusterReportRequest, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportRequestList.
+func (in *ClusterReportRequestList) DeepCopy() *ClusterReportRequestList {
+ if in == nil {
+ return nil
+ }
+ out := new(ClusterReportRequestList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterReportRequestList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyReport) DeepCopyInto(out *PolicyReport) {
*out = *in
@@ -134,7 +195,6 @@ func (in *PolicyReport) DeepCopyInto(out *PolicyReport) {
}
}
}
- return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReport.
@@ -167,7 +227,6 @@ func (in *PolicyReportList) DeepCopyInto(out *PolicyReportList) {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
- return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportList.
@@ -202,6 +261,11 @@ func (in *PolicyReportResult) DeepCopyInto(out *PolicyReportResult) {
}
}
}
+ if in.ResourceSelector != nil {
+ in, out := &in.ResourceSelector, &out.ResourceSelector
+ *out = new(metav1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
if in.Data != nil {
in, out := &in.Data, &out.Data
*out = make(map[string]string, len(*in))
@@ -209,7 +273,6 @@ func (in *PolicyReportResult) DeepCopyInto(out *PolicyReportResult) {
(*out)[key] = val
}
}
- return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportResult.
@@ -225,7 +288,6 @@ func (in *PolicyReportResult) DeepCopy() *PolicyReportResult {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyReportSummary) DeepCopyInto(out *PolicyReportSummary) {
*out = *in
- return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportSummary.
@@ -237,3 +299,82 @@ func (in *PolicyReportSummary) DeepCopy() *PolicyReportSummary {
in.DeepCopyInto(out)
return out
}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReportRequest) DeepCopyInto(out *ReportRequest) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ if in.Scope != nil {
+ in, out := &in.Scope, &out.Scope
+ *out = new(v1.ObjectReference)
+ **out = **in
+ }
+ if in.ScopeSelector != nil {
+ in, out := &in.ScopeSelector, &out.ScopeSelector
+ *out = new(metav1.LabelSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ out.Summary = in.Summary
+ if in.Results != nil {
+ in, out := &in.Results, &out.Results
+ *out = make([]*PolicyReportResult, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(PolicyReportResult)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportRequest.
+func (in *ReportRequest) DeepCopy() *ReportRequest {
+ if in == nil {
+ return nil
+ }
+ out := new(ReportRequest)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReportRequest) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReportRequestList) DeepCopyInto(out *ReportRequestList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]ReportRequest, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportRequestList.
+func (in *ReportRequestList) DeepCopy() *ReportRequestList {
+ if in == nil {
+ return nil
+ }
+ out := new(ReportRequestList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ReportRequestList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/clusterreportrequest.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/clusterreportrequest.go
new file mode 100644
index 0000000000..3a6b7d6879
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/clusterreportrequest.go
@@ -0,0 +1,178 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ "time"
+
+ v1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// ClusterReportRequestsGetter has a method to return a ClusterReportRequestInterface.
+// A group's client should implement this interface.
+type ClusterReportRequestsGetter interface {
+ ClusterReportRequests(namespace string) ClusterReportRequestInterface
+}
+
+// ClusterReportRequestInterface has methods to work with ClusterReportRequest resources.
+type ClusterReportRequestInterface interface {
+ Create(ctx context.Context, clusterReportRequest *v1alpha1.ClusterReportRequest, opts v1.CreateOptions) (*v1alpha1.ClusterReportRequest, error)
+ Update(ctx context.Context, clusterReportRequest *v1alpha1.ClusterReportRequest, opts v1.UpdateOptions) (*v1alpha1.ClusterReportRequest, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ClusterReportRequest, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ClusterReportRequestList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterReportRequest, err error)
+ ClusterReportRequestExpansion
+}
+
+// clusterReportRequests implements ClusterReportRequestInterface
+type clusterReportRequests struct {
+ client rest.Interface
+ ns string
+}
+
+// newClusterReportRequests returns a ClusterReportRequests
+func newClusterReportRequests(c *PolicyV1alpha1Client, namespace string) *clusterReportRequests {
+ return &clusterReportRequests{
+ client: c.RESTClient(),
+ ns: namespace,
+ }
+}
+
+// Get takes name of the clusterReportRequest, and returns the corresponding clusterReportRequest object, and an error if there is any.
+func (c *clusterReportRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterReportRequest, err error) {
+ result = &v1alpha1.ClusterReportRequest{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of ClusterReportRequests that match those selectors.
+func (c *clusterReportRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterReportRequestList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v1alpha1.ClusterReportRequestList{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterReportRequests.
+func (c *clusterReportRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a clusterReportRequest and creates it. Returns the server's representation of the clusterReportRequest, and an error, if there is any.
+func (c *clusterReportRequests) Create(ctx context.Context, clusterReportRequest *v1alpha1.ClusterReportRequest, opts v1.CreateOptions) (result *v1alpha1.ClusterReportRequest, err error) {
+ result = &v1alpha1.ClusterReportRequest{}
+ err = c.client.Post().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(clusterReportRequest).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a clusterReportRequest and updates it. Returns the server's representation of the clusterReportRequest, and an error, if there is any.
+func (c *clusterReportRequests) Update(ctx context.Context, clusterReportRequest *v1alpha1.ClusterReportRequest, opts v1.UpdateOptions) (result *v1alpha1.ClusterReportRequest, err error) {
+ result = &v1alpha1.ClusterReportRequest{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ Name(clusterReportRequest.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(clusterReportRequest).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the clusterReportRequest and deletes it. Returns an error if one occurs.
+func (c *clusterReportRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterReportRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched clusterReportRequest.
+func (c *clusterReportRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterReportRequest, err error) {
+ result = &v1alpha1.ClusterReportRequest{}
+ err = c.client.Patch(pt).
+ Namespace(c.ns).
+ Resource("clusterreportrequests").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_clusterreportrequest.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_clusterreportrequest.go
new file mode 100644
index 0000000000..34a2ff9d94
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_clusterreportrequest.go
@@ -0,0 +1,130 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+
+ v1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ schema "k8s.io/apimachinery/pkg/runtime/schema"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+)
+
+// FakeClusterReportRequests implements ClusterReportRequestInterface
+type FakeClusterReportRequests struct {
+ Fake *FakePolicyV1alpha1
+ ns string
+}
+
+var clusterreportrequestsResource = schema.GroupVersionResource{Group: "policy.kubernetes.io", Version: "v1alpha1", Resource: "clusterreportrequests"}
+
+var clusterreportrequestsKind = schema.GroupVersionKind{Group: "policy.kubernetes.io", Version: "v1alpha1", Kind: "ClusterReportRequest"}
+
+// Get takes name of the clusterReportRequest, and returns the corresponding clusterReportRequest object, and an error if there is any.
+func (c *FakeClusterReportRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ClusterReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewGetAction(clusterreportrequestsResource, c.ns, name), &v1alpha1.ClusterReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ClusterReportRequest), err
+}
+
+// List takes label and field selectors, and returns the list of ClusterReportRequests that match those selectors.
+func (c *FakeClusterReportRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ClusterReportRequestList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewListAction(clusterreportrequestsResource, clusterreportrequestsKind, c.ns, opts), &v1alpha1.ClusterReportRequestList{})
+
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v1alpha1.ClusterReportRequestList{ListMeta: obj.(*v1alpha1.ClusterReportRequestList).ListMeta}
+ for _, item := range obj.(*v1alpha1.ClusterReportRequestList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested clusterReportRequests.
+func (c *FakeClusterReportRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewWatchAction(clusterreportrequestsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a clusterReportRequest and creates it. Returns the server's representation of the clusterReportRequest, and an error, if there is any.
+func (c *FakeClusterReportRequests) Create(ctx context.Context, clusterReportRequest *v1alpha1.ClusterReportRequest, opts v1.CreateOptions) (result *v1alpha1.ClusterReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewCreateAction(clusterreportrequestsResource, c.ns, clusterReportRequest), &v1alpha1.ClusterReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ClusterReportRequest), err
+}
+
+// Update takes the representation of a clusterReportRequest and updates it. Returns the server's representation of the clusterReportRequest, and an error, if there is any.
+func (c *FakeClusterReportRequests) Update(ctx context.Context, clusterReportRequest *v1alpha1.ClusterReportRequest, opts v1.UpdateOptions) (result *v1alpha1.ClusterReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateAction(clusterreportrequestsResource, c.ns, clusterReportRequest), &v1alpha1.ClusterReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ClusterReportRequest), err
+}
+
+// Delete takes name of the clusterReportRequest and deletes it. Returns an error if one occurs.
+func (c *FakeClusterReportRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewDeleteAction(clusterreportrequestsResource, c.ns, name), &v1alpha1.ClusterReportRequest{})
+
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeClusterReportRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewDeleteCollectionAction(clusterreportrequestsResource, c.ns, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v1alpha1.ClusterReportRequestList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched clusterReportRequest.
+func (c *FakeClusterReportRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ClusterReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(clusterreportrequestsResource, c.ns, name, pt, data, subresources...), &v1alpha1.ClusterReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ClusterReportRequest), err
+}
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_policyreport_client.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_policyreport_client.go
index f6c00696db..3417aef5b9 100755
--- a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_policyreport_client.go
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_policyreport_client.go
@@ -32,10 +32,18 @@ func (c *FakePolicyV1alpha1) ClusterPolicyReports() v1alpha1.ClusterPolicyReport
return &FakeClusterPolicyReports{c}
}
+func (c *FakePolicyV1alpha1) ClusterReportRequests(namespace string) v1alpha1.ClusterReportRequestInterface {
+ return &FakeClusterReportRequests{c, namespace}
+}
+
func (c *FakePolicyV1alpha1) PolicyReports(namespace string) v1alpha1.PolicyReportInterface {
return &FakePolicyReports{c, namespace}
}
+func (c *FakePolicyV1alpha1) ReportRequests(namespace string) v1alpha1.ReportRequestInterface {
+ return &FakeReportRequests{c, namespace}
+}
+
// RESTClient returns a RESTClient that is used to communicate
// with API server by this client implementation.
func (c *FakePolicyV1alpha1) RESTClient() rest.Interface {
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_reportrequest.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_reportrequest.go
new file mode 100644
index 0000000000..1ac5fa8b4f
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/fake/fake_reportrequest.go
@@ -0,0 +1,130 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+
+ v1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ schema "k8s.io/apimachinery/pkg/runtime/schema"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+)
+
+// FakeReportRequests implements ReportRequestInterface
+type FakeReportRequests struct {
+ Fake *FakePolicyV1alpha1
+ ns string
+}
+
+var reportrequestsResource = schema.GroupVersionResource{Group: "policy.kubernetes.io", Version: "v1alpha1", Resource: "reportrequests"}
+
+var reportrequestsKind = schema.GroupVersionKind{Group: "policy.kubernetes.io", Version: "v1alpha1", Kind: "ReportRequest"}
+
+// Get takes name of the reportRequest, and returns the corresponding reportRequest object, and an error if there is any.
+func (c *FakeReportRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewGetAction(reportrequestsResource, c.ns, name), &v1alpha1.ReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ReportRequest), err
+}
+
+// List takes label and field selectors, and returns the list of ReportRequests that match those selectors.
+func (c *FakeReportRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ReportRequestList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewListAction(reportrequestsResource, reportrequestsKind, c.ns, opts), &v1alpha1.ReportRequestList{})
+
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v1alpha1.ReportRequestList{ListMeta: obj.(*v1alpha1.ReportRequestList).ListMeta}
+ for _, item := range obj.(*v1alpha1.ReportRequestList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested reportRequests.
+func (c *FakeReportRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewWatchAction(reportrequestsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a reportRequest and creates it. Returns the server's representation of the reportRequest, and an error, if there is any.
+func (c *FakeReportRequests) Create(ctx context.Context, reportRequest *v1alpha1.ReportRequest, opts v1.CreateOptions) (result *v1alpha1.ReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewCreateAction(reportrequestsResource, c.ns, reportRequest), &v1alpha1.ReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ReportRequest), err
+}
+
+// Update takes the representation of a reportRequest and updates it. Returns the server's representation of the reportRequest, and an error, if there is any.
+func (c *FakeReportRequests) Update(ctx context.Context, reportRequest *v1alpha1.ReportRequest, opts v1.UpdateOptions) (result *v1alpha1.ReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateAction(reportrequestsResource, c.ns, reportRequest), &v1alpha1.ReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ReportRequest), err
+}
+
+// Delete takes name of the reportRequest and deletes it. Returns an error if one occurs.
+func (c *FakeReportRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewDeleteAction(reportrequestsResource, c.ns, name), &v1alpha1.ReportRequest{})
+
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeReportRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewDeleteCollectionAction(reportrequestsResource, c.ns, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v1alpha1.ReportRequestList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched reportRequest.
+func (c *FakeReportRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ReportRequest, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(reportrequestsResource, c.ns, name, pt, data, subresources...), &v1alpha1.ReportRequest{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v1alpha1.ReportRequest), err
+}
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/generated_expansion.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/generated_expansion.go
index c649bc0a20..d65bc0aa9e 100755
--- a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/generated_expansion.go
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/generated_expansion.go
@@ -20,4 +20,8 @@ package v1alpha1
type ClusterPolicyReportExpansion interface{}
+type ClusterReportRequestExpansion interface{}
+
type PolicyReportExpansion interface{}
+
+type ReportRequestExpansion interface{}
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/policyreport_client.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/policyreport_client.go
index a290a2a455..56cf4de19c 100755
--- a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/policyreport_client.go
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/policyreport_client.go
@@ -27,7 +27,9 @@ import (
type PolicyV1alpha1Interface interface {
RESTClient() rest.Interface
ClusterPolicyReportsGetter
+ ClusterReportRequestsGetter
PolicyReportsGetter
+ ReportRequestsGetter
}
// PolicyV1alpha1Client is used to interact with features provided by the policy.kubernetes.io group.
@@ -39,10 +41,18 @@ func (c *PolicyV1alpha1Client) ClusterPolicyReports() ClusterPolicyReportInterfa
return newClusterPolicyReports(c)
}
+func (c *PolicyV1alpha1Client) ClusterReportRequests(namespace string) ClusterReportRequestInterface {
+ return newClusterReportRequests(c, namespace)
+}
+
func (c *PolicyV1alpha1Client) PolicyReports(namespace string) PolicyReportInterface {
return newPolicyReports(c, namespace)
}
+func (c *PolicyV1alpha1Client) ReportRequests(namespace string) ReportRequestInterface {
+ return newReportRequests(c, namespace)
+}
+
// NewForConfig creates a new PolicyV1alpha1Client for the given config.
func NewForConfig(c *rest.Config) (*PolicyV1alpha1Client, error) {
config := *c
diff --git a/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/reportrequest.go b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/reportrequest.go
new file mode 100644
index 0000000000..64ce39485a
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/policyreport/v1alpha1/reportrequest.go
@@ -0,0 +1,178 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ "time"
+
+ v1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// ReportRequestsGetter has a method to return a ReportRequestInterface.
+// A group's client should implement this interface.
+type ReportRequestsGetter interface {
+ ReportRequests(namespace string) ReportRequestInterface
+}
+
+// ReportRequestInterface has methods to work with ReportRequest resources.
+type ReportRequestInterface interface {
+ Create(ctx context.Context, reportRequest *v1alpha1.ReportRequest, opts v1.CreateOptions) (*v1alpha1.ReportRequest, error)
+ Update(ctx context.Context, reportRequest *v1alpha1.ReportRequest, opts v1.UpdateOptions) (*v1alpha1.ReportRequest, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ReportRequest, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ReportRequestList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ReportRequest, err error)
+ ReportRequestExpansion
+}
+
+// reportRequests implements ReportRequestInterface
+type reportRequests struct {
+ client rest.Interface
+ ns string
+}
+
+// newReportRequests returns a ReportRequests
+func newReportRequests(c *PolicyV1alpha1Client, namespace string) *reportRequests {
+ return &reportRequests{
+ client: c.RESTClient(),
+ ns: namespace,
+ }
+}
+
+// Get takes name of the reportRequest, and returns the corresponding reportRequest object, and an error if there is any.
+func (c *reportRequests) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ReportRequest, err error) {
+ result = &v1alpha1.ReportRequest{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of ReportRequests that match those selectors.
+func (c *reportRequests) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ReportRequestList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v1alpha1.ReportRequestList{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested reportRequests.
+func (c *reportRequests) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a reportRequest and creates it. Returns the server's representation of the reportRequest, and an error, if there is any.
+func (c *reportRequests) Create(ctx context.Context, reportRequest *v1alpha1.ReportRequest, opts v1.CreateOptions) (result *v1alpha1.ReportRequest, err error) {
+ result = &v1alpha1.ReportRequest{}
+ err = c.client.Post().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(reportRequest).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a reportRequest and updates it. Returns the server's representation of the reportRequest, and an error, if there is any.
+func (c *reportRequests) Update(ctx context.Context, reportRequest *v1alpha1.ReportRequest, opts v1.UpdateOptions) (result *v1alpha1.ReportRequest, err error) {
+ result = &v1alpha1.ReportRequest{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ Name(reportRequest.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(reportRequest).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the reportRequest and deletes it. Returns an error if one occurs.
+func (c *reportRequests) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *reportRequests) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("reportrequests").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched reportRequest.
+func (c *reportRequests) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ReportRequest, err error) {
+ result = &v1alpha1.ReportRequest{}
+ err = c.client.Patch(pt).
+ Namespace(c.ns).
+ Resource("reportrequests").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go
index 18aaad05c6..db93642da6 100755
--- a/pkg/client/informers/externalversions/generic.go
+++ b/pkg/client/informers/externalversions/generic.go
@@ -68,8 +68,12 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
// Group=policy.kubernetes.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithResource("clusterpolicyreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().ClusterPolicyReports().Informer()}, nil
+ case v1alpha1.SchemeGroupVersion.WithResource("clusterreportrequests"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().ClusterReportRequests().Informer()}, nil
case v1alpha1.SchemeGroupVersion.WithResource("policyreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().PolicyReports().Informer()}, nil
+ case v1alpha1.SchemeGroupVersion.WithResource("reportrequests"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Policy().V1alpha1().ReportRequests().Informer()}, nil
}
diff --git a/pkg/client/informers/externalversions/policyreport/v1alpha1/clusterreportrequest.go b/pkg/client/informers/externalversions/policyreport/v1alpha1/clusterreportrequest.go
new file mode 100644
index 0000000000..ff726accd1
--- /dev/null
+++ b/pkg/client/informers/externalversions/policyreport/v1alpha1/clusterreportrequest.go
@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ time "time"
+
+ policyreportv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+ internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+ v1alpha1 "github.com/kyverno/kyverno/pkg/client/listers/policyreport/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// ClusterReportRequestInformer provides access to a shared informer and lister for
+// ClusterReportRequests.
+type ClusterReportRequestInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v1alpha1.ClusterReportRequestLister
+}
+
+type clusterReportRequestInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+ namespace string
+}
+
+// NewClusterReportRequestInformer constructs a new informer for ClusterReportRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewClusterReportRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredClusterReportRequestInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredClusterReportRequestInformer constructs a new informer for ClusterReportRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredClusterReportRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.PolicyV1alpha1().ClusterReportRequests(namespace).List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.PolicyV1alpha1().ClusterReportRequests(namespace).Watch(context.TODO(), options)
+ },
+ },
+ &policyreportv1alpha1.ClusterReportRequest{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *clusterReportRequestInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredClusterReportRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *clusterReportRequestInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&policyreportv1alpha1.ClusterReportRequest{}, f.defaultInformer)
+}
+
+func (f *clusterReportRequestInformer) Lister() v1alpha1.ClusterReportRequestLister {
+ return v1alpha1.NewClusterReportRequestLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/policyreport/v1alpha1/interface.go b/pkg/client/informers/externalversions/policyreport/v1alpha1/interface.go
index a5f300ee2a..25dd618ec0 100755
--- a/pkg/client/informers/externalversions/policyreport/v1alpha1/interface.go
+++ b/pkg/client/informers/externalversions/policyreport/v1alpha1/interface.go
@@ -26,8 +26,12 @@ import (
type Interface interface {
// ClusterPolicyReports returns a ClusterPolicyReportInformer.
ClusterPolicyReports() ClusterPolicyReportInformer
+ // ClusterReportRequests returns a ClusterReportRequestInformer.
+ ClusterReportRequests() ClusterReportRequestInformer
// PolicyReports returns a PolicyReportInformer.
PolicyReports() PolicyReportInformer
+ // ReportRequests returns a ReportRequestInformer.
+ ReportRequests() ReportRequestInformer
}
type version struct {
@@ -46,7 +50,17 @@ func (v *version) ClusterPolicyReports() ClusterPolicyReportInformer {
return &clusterPolicyReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
+// ClusterReportRequests returns a ClusterReportRequestInformer.
+func (v *version) ClusterReportRequests() ClusterReportRequestInformer {
+ return &clusterReportRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
// PolicyReports returns a PolicyReportInformer.
func (v *version) PolicyReports() PolicyReportInformer {
return &policyReportInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
+
+// ReportRequests returns a ReportRequestInformer.
+func (v *version) ReportRequests() ReportRequestInformer {
+ return &reportRequestInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
diff --git a/pkg/client/informers/externalversions/policyreport/v1alpha1/reportrequest.go b/pkg/client/informers/externalversions/policyreport/v1alpha1/reportrequest.go
new file mode 100644
index 0000000000..6613169153
--- /dev/null
+++ b/pkg/client/informers/externalversions/policyreport/v1alpha1/reportrequest.go
@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ "context"
+ time "time"
+
+ policyreportv1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+ internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+ v1alpha1 "github.com/kyverno/kyverno/pkg/client/listers/policyreport/v1alpha1"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// ReportRequestInformer provides access to a shared informer and lister for
+// ReportRequests.
+type ReportRequestInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v1alpha1.ReportRequestLister
+}
+
+type reportRequestInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+ namespace string
+}
+
+// NewReportRequestInformer constructs a new informer for ReportRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewReportRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredReportRequestInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredReportRequestInformer constructs a new informer for ReportRequest type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredReportRequestInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.PolicyV1alpha1().ReportRequests(namespace).List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.PolicyV1alpha1().ReportRequests(namespace).Watch(context.TODO(), options)
+ },
+ },
+ &policyreportv1alpha1.ReportRequest{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *reportRequestInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredReportRequestInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *reportRequestInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&policyreportv1alpha1.ReportRequest{}, f.defaultInformer)
+}
+
+func (f *reportRequestInformer) Lister() v1alpha1.ReportRequestLister {
+ return v1alpha1.NewReportRequestLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/listers/policyreport/v1alpha1/clusterreportrequest.go b/pkg/client/listers/policyreport/v1alpha1/clusterreportrequest.go
new file mode 100644
index 0000000000..f1cc7a4184
--- /dev/null
+++ b/pkg/client/listers/policyreport/v1alpha1/clusterreportrequest.go
@@ -0,0 +1,94 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// ClusterReportRequestLister helps list ClusterReportRequests.
+type ClusterReportRequestLister interface {
+ // List lists all ClusterReportRequests in the indexer.
+ List(selector labels.Selector) (ret []*v1alpha1.ClusterReportRequest, err error)
+ // ClusterReportRequests returns an object that can list and get ClusterReportRequests.
+ ClusterReportRequests(namespace string) ClusterReportRequestNamespaceLister
+ ClusterReportRequestListerExpansion
+}
+
+// clusterReportRequestLister implements the ClusterReportRequestLister interface.
+type clusterReportRequestLister struct {
+ indexer cache.Indexer
+}
+
+// NewClusterReportRequestLister returns a new ClusterReportRequestLister.
+func NewClusterReportRequestLister(indexer cache.Indexer) ClusterReportRequestLister {
+ return &clusterReportRequestLister{indexer: indexer}
+}
+
+// List lists all ClusterReportRequests in the indexer.
+func (s *clusterReportRequestLister) List(selector labels.Selector) (ret []*v1alpha1.ClusterReportRequest, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.ClusterReportRequest))
+ })
+ return ret, err
+}
+
+// ClusterReportRequests returns an object that can list and get ClusterReportRequests.
+func (s *clusterReportRequestLister) ClusterReportRequests(namespace string) ClusterReportRequestNamespaceLister {
+ return clusterReportRequestNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// ClusterReportRequestNamespaceLister helps list and get ClusterReportRequests.
+type ClusterReportRequestNamespaceLister interface {
+ // List lists all ClusterReportRequests in the indexer for a given namespace.
+ List(selector labels.Selector) (ret []*v1alpha1.ClusterReportRequest, err error)
+ // Get retrieves the ClusterReportRequest from the indexer for a given namespace and name.
+ Get(name string) (*v1alpha1.ClusterReportRequest, error)
+ ClusterReportRequestNamespaceListerExpansion
+}
+
+// clusterReportRequestNamespaceLister implements the ClusterReportRequestNamespaceLister
+// interface.
+type clusterReportRequestNamespaceLister struct {
+ indexer cache.Indexer
+ namespace string
+}
+
+// List lists all ClusterReportRequests in the indexer for a given namespace.
+func (s clusterReportRequestNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.ClusterReportRequest, err error) {
+ err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.ClusterReportRequest))
+ })
+ return ret, err
+}
+
+// Get retrieves the ClusterReportRequest from the indexer for a given namespace and name.
+func (s clusterReportRequestNamespaceLister) Get(name string) (*v1alpha1.ClusterReportRequest, error) {
+ obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v1alpha1.Resource("clusterreportrequest"), name)
+ }
+ return obj.(*v1alpha1.ClusterReportRequest), nil
+}
diff --git a/pkg/client/listers/policyreport/v1alpha1/expansion_generated.go b/pkg/client/listers/policyreport/v1alpha1/expansion_generated.go
index d0f6e8a96b..669a025ed7 100755
--- a/pkg/client/listers/policyreport/v1alpha1/expansion_generated.go
+++ b/pkg/client/listers/policyreport/v1alpha1/expansion_generated.go
@@ -22,6 +22,14 @@ package v1alpha1
// ClusterPolicyReportLister.
type ClusterPolicyReportListerExpansion interface{}
+// ClusterReportRequestListerExpansion allows custom methods to be added to
+// ClusterReportRequestLister.
+type ClusterReportRequestListerExpansion interface{}
+
+// ClusterReportRequestNamespaceListerExpansion allows custom methods to be added to
+// ClusterReportRequestNamespaceLister.
+type ClusterReportRequestNamespaceListerExpansion interface{}
+
// PolicyReportListerExpansion allows custom methods to be added to
// PolicyReportLister.
type PolicyReportListerExpansion interface{}
@@ -29,3 +37,11 @@ type PolicyReportListerExpansion interface{}
// PolicyReportNamespaceListerExpansion allows custom methods to be added to
// PolicyReportNamespaceLister.
type PolicyReportNamespaceListerExpansion interface{}
+
+// ReportRequestListerExpansion allows custom methods to be added to
+// ReportRequestLister.
+type ReportRequestListerExpansion interface{}
+
+// ReportRequestNamespaceListerExpansion allows custom methods to be added to
+// ReportRequestNamespaceLister.
+type ReportRequestNamespaceListerExpansion interface{}
diff --git a/pkg/client/listers/policyreport/v1alpha1/reportrequest.go b/pkg/client/listers/policyreport/v1alpha1/reportrequest.go
new file mode 100644
index 0000000000..ec208883dc
--- /dev/null
+++ b/pkg/client/listers/policyreport/v1alpha1/reportrequest.go
@@ -0,0 +1,94 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+ v1alpha1 "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// ReportRequestLister helps list ReportRequests.
+type ReportRequestLister interface {
+ // List lists all ReportRequests in the indexer.
+ List(selector labels.Selector) (ret []*v1alpha1.ReportRequest, err error)
+ // ReportRequests returns an object that can list and get ReportRequests.
+ ReportRequests(namespace string) ReportRequestNamespaceLister
+ ReportRequestListerExpansion
+}
+
+// reportRequestLister implements the ReportRequestLister interface.
+type reportRequestLister struct {
+ indexer cache.Indexer
+}
+
+// NewReportRequestLister returns a new ReportRequestLister.
+func NewReportRequestLister(indexer cache.Indexer) ReportRequestLister {
+ return &reportRequestLister{indexer: indexer}
+}
+
+// List lists all ReportRequests in the indexer.
+func (s *reportRequestLister) List(selector labels.Selector) (ret []*v1alpha1.ReportRequest, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.ReportRequest))
+ })
+ return ret, err
+}
+
+// ReportRequests returns an object that can list and get ReportRequests.
+func (s *reportRequestLister) ReportRequests(namespace string) ReportRequestNamespaceLister {
+ return reportRequestNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// ReportRequestNamespaceLister helps list and get ReportRequests.
+type ReportRequestNamespaceLister interface {
+ // List lists all ReportRequests in the indexer for a given namespace.
+ List(selector labels.Selector) (ret []*v1alpha1.ReportRequest, err error)
+ // Get retrieves the ReportRequest from the indexer for a given namespace and name.
+ Get(name string) (*v1alpha1.ReportRequest, error)
+ ReportRequestNamespaceListerExpansion
+}
+
+// reportRequestNamespaceLister implements the ReportRequestNamespaceLister
+// interface.
+type reportRequestNamespaceLister struct {
+ indexer cache.Indexer
+ namespace string
+}
+
+// List lists all ReportRequests in the indexer for a given namespace.
+func (s reportRequestNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.ReportRequest, err error) {
+ err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+ ret = append(ret, m.(*v1alpha1.ReportRequest))
+ })
+ return ret, err
+}
+
+// Get retrieves the ReportRequest from the indexer for a given namespace and name.
+func (s reportRequestNamespaceLister) Get(name string) (*v1alpha1.ReportRequest, error) {
+ obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v1alpha1.Resource("reportrequest"), name)
+ }
+ return obj.(*v1alpha1.ReportRequest), nil
+}
diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index e98fa1963b..547cece742 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -63,8 +63,6 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
continue
}
-
-
// add configmap json data to context
if err := AddResourceToContext(logger, rule.Context, resCache, jsonContext); err != nil {
logger.V(4).Info("cannot add configmaps to context", "reason", err.Error())
diff --git a/pkg/kyverno/common/regex.go b/pkg/kyverno/common/regex.go
index e1cbefebc7..f4a87e1827 100644
--- a/pkg/kyverno/common/regex.go
+++ b/pkg/kyverno/common/regex.go
@@ -5,4 +5,4 @@ import (
)
var REGEX_VARIABLES = regexp.MustCompile(`\{\{[^{}]*\}\}`)
-var ALLOWED_VARIABLES = regexp.MustCompile(`\{\{\s*[request\.|serviceAccountName|serviceAccountNamespace][^{}]*\}\}`)
\ No newline at end of file
+var ALLOWED_VARIABLES = regexp.MustCompile(`\{\{\s*[request\.|serviceAccountName|serviceAccountNamespace][^{}]*\}\}`)
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
index 28cb41c91a..f56a567645 100644
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@@ -66,8 +66,6 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
return fmt.Errorf("path: spec.rules[%d]: %v", i, err)
}
-
-
// validate Cluster Resources in namespaced cluster policy
// For namespaced cluster policy, ClusterResource type field and values are not allowed in match and exclude
if !mock && p.ObjectMeta.Namespace != "" {
@@ -450,13 +448,13 @@ func validateRuleType(r kyverno.Rule) error {
return nil
}
-func validateRuleContext(rule kyverno.Rule) (error) {
+func validateRuleContext(rule kyverno.Rule) error {
if rule.Context == nil || len(rule.Context) == 0 {
return nil
}
for _, entry := range rule.Context {
- if entry.Name == ""{
+ if entry.Name == "" {
return fmt.Errorf("a name is required for context entries")
}