From 2a136f5b8dd795260f9b1611050e33c2487cc6d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Thu, 14 Sep 2023 17:17:02 +0200 Subject: [PATCH] feat: use kubectl-validate to load policies (#8384) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: use kubectl-validate to load policies Signed-off-by: Charles-Edouard Brétéché * schemas Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * bump Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * policies v2beta1 Signed-off-by: Charles-Edouard Brétéché * option Signed-off-by: Charles-Edouard Brétéché * defaulting test Signed-off-by: Charles-Edouard Brétéché * makefile Signed-off-by: Charles-Edouard Brétéché * makefile Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- Makefile | 17 +- .../_testdata/policies/check-image.yaml | 25 + .../data/crds/kyverno.io_clusterpolicies.yaml | 17480 +++++++++++++++ .../data/crds/kyverno.io_policies.yaml | 17483 ++++++++++++++++ cmd/cli/kubectl-kyverno/data/data.go | 15 + .../experimental/experimental.go | 17 +- .../experimental/experimental_test.go | 10 +- cmd/cli/kubectl-kyverno/policy/load.go | 90 +- cmd/cli/kubectl-kyverno/policy/load_test.go | 64 + go.mod | 26 +- go.sum | 70 +- test/cli/test/images/digest/policies.yaml | 1 - 12 files changed, 35263 insertions(+), 35 deletions(-) create mode 100644 cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml create mode 100644 cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml create mode 100644 cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml create mode 100644 cmd/cli/kubectl-kyverno/data/data.go diff --git a/Makefile b/Makefile index 2b2dd7a666..5a83039ff4 100644 --- a/Makefile +++ b/Makefile @@ -523,6 +523,13 @@ codegen-cli-tests: $(CLI_BIN) ## Fix CLI test files @echo Fix CLI test files... >&2 @KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test ./test/cli --save --compress +.PHONY: codegen-cli-crds +codegen-cli-crds: codegen-crds-kyverno ## Copy generated CRDs to embed in the CLI + @echo Copy generated CRDs to embed in the CLI... >&2 + @rm -rf cmd/cli/kubectl-kyverno/data/crds && mkdir -p cmd/cli/kubectl-kyverno/data/crds + @cp config/crds/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds + @cp config/crds/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds + .PHONY: codegen-docs-all codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs ## Generate all docs @@ -654,6 +661,14 @@ verify-manifests: codegen-manifest-all ## Check manifests are up to date @echo 'To correct this, locally run "make codegen-manifest-all", commit the changes, and re-run tests.' >&2 @git diff --quiet --exit-code ${INSTALL_MANIFEST_PATH} +.PHONY: verify-cli-crds +verify-cli-crds: codegen-cli-crds ## Check generated CRDs to be embedded in the CLI are up to date + @echo Checking generated CRDs to be embedded in the CLI are up to date... >&2 + @git --no-pager diff cmd/cli/kubectl-kyverno/data/crds + @echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-cli-crds".' >&2 + @echo 'To correct this, locally run "make codegen-cli-crds", commit the changes, and re-run tests.' >&2 + @git diff --quiet --exit-code cmd/cli/kubectl-kyverno/data/crds + .PHONY: verify-cli-tests verify-cli-tests: ## Check CLI test files are up to date @echo Checking CLI test files are up to date... >&2 @@ -663,7 +678,7 @@ verify-cli-tests: ## Check CLI test files are up to date @git diff --quiet --exit-code test/cli .PHONY: verify-codegen -verify-codegen: verify-crds verify-client verify-deepcopy verify-docs verify-helm verify-manifests ## Verify all generated code and docs are up to date +verify-codegen: verify-crds verify-client verify-deepcopy verify-docs verify-helm verify-manifests verify-cli-crds ## Verify all generated code and docs are up to date ############## # UNIT TESTS # diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml new file mode 100644 index 0000000000..9e0591404c --- /dev/null +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml @@ -0,0 +1,25 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-image + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + rules: + - name: verify-signature + match: + resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "*" + attestors: + - count: 1 + entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL + bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg== + -----END PUBLIC KEY----- \ No newline at end of file diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml new file mode 100644 index 0000000000..e1faf18499 --- /dev/null +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -0,0 +1,17480 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: ClusterPolicy + listKind: ClusterPolicyList + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: ApplyRules controls how rules in a policy are applied. + Rule are processed in the order of declaration. When set to `One` + processing stops after a rule has been applied i.e. the rule matches + and results in a pass, fail, or error. When set to `All` all rules + in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unexpected policy errors and + webhook response timeout errors are handled. Rules within the same + policy share the same failure behavior. This field should not be + accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the server. For example a JMESPath + of "items | length(@)" applied to the API server + response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct + returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys + and values in `matchLabels`. wildcard characters are + not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object + match: + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 + JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." + type: string + namespace: + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use + the current list element as the scope for validation. + Defaults to "true" if not specified. When set to + "false", "request.object" is used as the validation + scope within the foreach block to allow referencing + other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must match + (a logical OR). If the count contains a value + N, then N must be less than or equal to the + size of entries, and at least N entries must + match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes + for keyless verification, or a nested attestor + declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other + key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots + are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image signatures. + The keys can be directly specified + or can be a variable reference to + a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) + within the set of attestors and the + count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If + specified Repository will override other + OCI image repository locations for this + Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI + repository to use for resource bundle reference. The + repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for Pod + Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of + the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each image + is the image name consisting of the registry + address, repository, image, and tag. Empty list + matches no containers, PSS checks are applied + at the pod level only. Wildcards (''*'' and + ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values are + privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, + v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for signed + in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. + Kyverno fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. See + https://github.com/in-toto/attestation. Kyverno fetches + signed attestations from the OCI registry and decodes + them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there + are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions + wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one + of its sub-conditions passes. AllConditions + get fulfilled only when all of its sub-conditions + pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is null, + all entries must match (a logical AND). If the + count is 1, at least one entry must match (a logical + OR). If the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes for + keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of match + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one or more public + keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: 'ImageReferences is a list of matching image + reference patterns. At least one pattern in the list + must match the image for the rule to apply. Each image + reference consists of a registry address (defaults to + docker.io), repository, image, and tag (defaults to + latest). Wildcards (''*'' and ''?'') are allowed. See: + https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided + It can be of one of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials Secrets must live in + the Kyverno namespace + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: SchemaValidation skips validation checks for policies + as well as patched resources. Optional. The default value is set + to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: UseServerSideApply controls whether to use server-side + apply for generate rules If is set to "true" create & update for + generate rules will use apply instead of create/update. Defaults + to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: ValidationFailureAction defines if a validation policy + rule violation should block the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. Allowed values are audit or enforce. + The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy + attribute that specifies ValidationFailureAction namespace-wise. + It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match + declaration to select resources, and an optional exclude declaration + to specify which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a + APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an + OCI/Docker V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a list of + OCI Registry names, whose authentication + providers are provided It can be of one + of these values: AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets + must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference to + a container image in the registry. Example: + ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take if the + JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform the + variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include + resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name + or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used + to populate each generated resource. At most one of + Data or Clone can be specified. If neither are provided, + the generated resource will be created with default + data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: Selector is a label selector. Label + keys and values in `matchLabels`. wildcard characters + are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration + used to populate each generated resource. At most + one of Data or Clone must be specified. If neither + are provided, the generated resource will be created + with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated + resources will be overwritten with resource data from + Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string + key: + description: Key is an optional name of the field + within 'path' that will be used to uniquely identify + an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be + available under 'images.' in the context. + If this field is not defined, image entries will + appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should + be slash-separated. Each slash-separated key must + be a valid YAML key or a wildcard '*'. Wildcard + keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This + is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds + to ImageExtractorConfigs. This config is only valid for + verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule + should be applied. The match criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic + merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC + 6902 JSON Patch declarations used to modify + resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." + type: string + namespace: + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must + be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` + statements) is also supported for backwards + compatibility but will be deprecated in + the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to + use the current list element as the scope for + validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used + as the validation scope within the foreach block + to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate + OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor + or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for + Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name + of the Pod Security Standard control. See: + https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each + image is the image name consisting of the + registry address, repository, image, and + tag. Empty list matches no containers, PSS + checks are applied at the pod level only. + Wildcards (''*'' and ''?'') are allowed. + See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values + are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, + v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated + to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for + signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long + there are predicates that match the predicate + type. + items: + description: AnyAllConditions consists of + conditions wrapped denoting a logical criteria + to be fulfilled. AnyConditions get fulfilled + when at least one of its sub-conditions + passes. AllConditions get fulfilled only + when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must + match (a logical OR). If the count contains + a value N, then N must be less than or equal + to the size of entries, and at least N entries + must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or a + nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, the + system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a Key + Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository will + override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: 'ImageReferences is a list of matching + image reference patterns. At least one pattern in + the list must match the image for the rule to apply. + Each image reference consists of a registry address + (defaults to docker.io), repository, image, and + tag (defaults to latest). Wildcards (''*'' and ''?'') + are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI + repository to use for image signatures and attestations + that match this rule. If specified Repository will + override the default OCI image repository configured + for the installation. The repository can also be + overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: RuleCountStatus contains four variables which describes + counts for validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: Message is a human readable message indicating details + about the generation of validating admission policy It is an + empty string when validating admission policy is successfully + generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: ClusterPolicy declares validation, mutation, and generation behaviors + for matching resources. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy behaviors. + properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: ApplyRules controls how rules in a policy are applied. + Rule are processed in the order of declaration. When set to `One` + processing stops after a rule has been applied i.e. the rule matches + and results in a pass, fail, or error. When set to `All` all rules + in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unexpected policy errors and + webhook response timeout errors are handled. Rules within the same + policy share the same failure behavior. Allowed values are Ignore + or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the server. For example a JMESPath + of "items | length(@)" applied to the API server + response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct + returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys + and values in `matchLabels`. wildcard characters are + not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object + match: + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 + JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional + rule execution. This is useful for finer control of when + an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need + to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation + to perform. Valid operators are: Equals, NotEquals, + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set + of values. The values can be fixed set or can be + variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional + rule execution. This is useful for finer control of when + an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions + need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation + to perform. Valid operators are: Equals, NotEquals, + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set + of values. The values can be fixed set or can be + variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." + type: string + namespace: + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, + AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, + AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use + the current list element as the scope for validation. + Defaults to "true" if not specified. When set to + "false", "request.object" is used as the validation + scope within the foreach block to allow referencing + other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must match + (a logical OR). If the count contains a value + N, then N must be less than or equal to the + size of entries, and at least N entries must + match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes + for keyless verification, or a nested attestor + declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other + key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots + are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image signatures. + The keys can be directly specified + or can be a variable reference to + a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) + within the set of attestors and the + count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If + specified Repository will override other + OCI image repository locations for this + Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI + repository to use for resource bundle reference. The + repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for Pod + Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of + the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each image + is the image name consisting of the registry + address, repository, image, and tag. Empty list + matches no containers, PSS checks are applied + at the pod level only. Wildcards (''*'' and + ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values are + privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, + v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. + properties: + attestations: + description: Attestations are optional checks for signed + in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. + Kyverno fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. See + https://github.com/in-toto/attestation. Kyverno fetches + signed attestations from the OCI registry and decodes + them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there + are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions + wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one + of its sub-conditions passes. AllConditions + get fulfilled only when all of its sub-conditions + pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is null, + all entries must match (a logical AND). If the + count is 1, at least one entry must match (a logical + OR). If the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes for + keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of match + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one or more public + keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + imageReferences: + description: 'ImageReferences is a list of matching image + reference patterns. At least one pattern in the list + must match the image for the rule to apply. Each image + reference consists of a registry address (defaults to + docker.io), repository, image, and tag (defaults to + latest). Wildcards (''*'' and ''?'') are allowed. See: + https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided + It can be of one of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials Secrets must live in + the Kyverno namespace + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: SchemaValidation skips validation checks for policies + as well as patched resources. Optional. The default value is set + to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: UseServerSideApply controls whether to use server-side + apply for generate rules If is set to "true" create & update for + generate rules will use apply instead of create/update. Defaults + to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: ValidationFailureAction defines if a validation policy + rule violation should block the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. Allowed values are audit or enforce. + The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy + attribute that specifies ValidationFailureAction namespace-wise. + It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match + declaration to select resources, and an optional exclude declaration + to specify which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a + APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an + OCI/Docker V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a list of + OCI Registry names, whose authentication + providers are provided It can be of one + of these values: AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets + must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference to + a container image in the registry. Example: + ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take if the + JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform the + variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include + resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name + or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used + to populate each generated resource. At most one of + Data or Clone can be specified. If neither are provided, + the generated resource will be created with default + data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: Selector is a label selector. Label + keys and values in `matchLabels`. wildcard characters + are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration + used to populate each generated resource. At most + one of Data or Clone must be specified. If neither + are provided, the generated resource will be created + with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated + resources will be overwritten with resource data from + Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string + key: + description: Key is an optional name of the field + within 'path' that will be used to uniquely identify + an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be + available under 'images.' in the context. + If this field is not defined, image entries will + appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should + be slash-separated. Each slash-separated key must + be a valid YAML key or a wildcard '*'. Wildcard + keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This + is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds + to ImageExtractorConfigs. This config is only valid for + verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule + should be applied. The match criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic + merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC + 6902 JSON Patch declarations used to modify + resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." + type: string + namespace: + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must + be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` + statements) is also supported for backwards + compatibility but will be deprecated in + the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to + use the current list element as the scope for + validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used + as the validation scope within the foreach block + to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate + OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor + or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for + Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name + of the Pod Security Standard control. See: + https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each + image is the image name consisting of the + registry address, repository, image, and + tag. Empty list matches no containers, PSS + checks are applied at the pod level only. + Wildcards (''*'' and ''?'') are allowed. + See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values + are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, + v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated + to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for + signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long + there are predicates that match the predicate + type. + items: + description: AnyAllConditions consists of + conditions wrapped denoting a logical criteria + to be fulfilled. AnyConditions get fulfilled + when at least one of its sub-conditions + passes. AllConditions get fulfilled only + when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must + match (a logical OR). If the count contains + a value N, then N must be less than or equal + to the size of entries, and at least N entries + must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or a + nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, the + system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a Key + Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository will + override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: 'ImageReferences is a list of matching + image reference patterns. At least one pattern in + the list must match the image for the rule to apply. + Each image reference consists of a registry address + (defaults to docker.io), repository, image, and + tag (defaults to latest). Wildcards (''*'' and ''?'') + are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI + repository to use for image signatures and attestations + that match this rule. If specified Repository will + override the default OCI image repository configured + for the installation. The repository can also be + overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: RuleCountStatus contains four variables which describes + counts for validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: Message is a human readable message indicating details + about the generation of validating admission policy It is an + empty string when validating admission policy is successfully + generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml new file mode 100644 index 0000000000..a8f463e81a --- /dev/null +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -0,0 +1,17483 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: policies.kyverno.io +spec: + group: kyverno.io + names: + categories: + - kyverno + kind: Policy + listKind: PolicyList + plural: policies + shortNames: + - pol + singular: policy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v1 + schema: + openAPIV3Schema: + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: ApplyRules controls how rules in a policy are applied. + Rule are processed in the order of declaration. When set to `One` + processing stops after a rule has been applied i.e. the rule matches + and results in a pass, fail, or error. When set to `All` all rules + in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unexpected policy errors and + webhook response timeout errors are handled. Rules within the same + policy share the same failure behavior. This field should not be + accessed directly, instead `GetFailurePolicy()` should be used. + Allowed values are Ignore or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the server. For example a JMESPath + of "items | length(@)" applied to the API server + response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct + returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys + and values in `matchLabels`. wildcard characters are + not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object + match: + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide role + names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about + the resource being created or modified. Requires at least + one tag to be specified when under MatchResources. Specifying + ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value + pairs of type string). Annotation keys and values + support the wildcard characters "*" (matches zero + or many characters) and "?" (matches at least one + character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each + name supports wildcard characters "*" (matches zero + or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` + (matches zero or many characters) and `?` (matches + one character).Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys + and values in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` (matches + one character). Wildcards allows writing label selectors + like ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not match + an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or a + value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values + defined by this API group are "User", "Group", and + "ServiceAccount". If the Authorizer does not recognized + the kind value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the Authorizer + should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 + JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." + type: string + namespace: + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use + the current list element as the scope for validation. + Defaults to "true" if not specified. When set to + "false", "request.object" is used as the validation + scope within the foreach block to allow referencing + other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must match + (a logical OR). If the count contains a value + N, then N must be less than or equal to the + size of entries, and at least N entries must + match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes + for keyless verification, or a nested attestor + declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other + key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots + are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image signatures. + The keys can be directly specified + or can be a variable reference to + a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) + within the set of attestors and the + count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If + specified Repository will override other + OCI image repository locations for this + Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI + repository to use for resource bundle reference. The + repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for Pod + Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of + the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each image + is the image name consisting of the registry + address, repository, image, and tag. Empty list + matches no containers, PSS checks are applied + at the pod level only. Wildcards (''*'' and + ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values are + privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, + v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for signed + in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. + Kyverno fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. See + https://github.com/in-toto/attestation. Kyverno fetches + signed attestations from the OCI registry and decodes + them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there + are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions + wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one + of its sub-conditions passes. AllConditions + get fulfilled only when all of its sub-conditions + pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is null, + all entries must match (a logical AND). If the + count is 1, at least one entry must match (a logical + OR). If the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes for + keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of match + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one or more public + keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: 'ImageReferences is a list of matching image + reference patterns. At least one pattern in the list + must match the image for the rule to apply. Each image + reference consists of a registry address (defaults to + docker.io), repository, image, and tag (defaults to + latest). Wildcards (''*'' and ''?'') are allowed. See: + https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided + It can be of one of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials Secrets must live in + the Kyverno namespace + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: SchemaValidation skips validation checks for policies + as well as patched resources. Optional. The default value is set + to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: UseServerSideApply controls whether to use server-side + apply for generate rules If is set to "true" create & update for + generate rules will use apply instead of create/update. Defaults + to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: ValidationFailureAction defines if a validation policy + rule violation should block the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. Allowed values are audit or enforce. + The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy + attribute that specifies ValidationFailureAction namespace-wise. + It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Deprecated. Policy metrics are available via the metrics + endpoint + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match + declaration to select resources, and an optional exclude declaration + to specify which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a + APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an + OCI/Docker V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a list of + OCI Registry names, whose authentication + providers are provided It can be of one + of these values: AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets + must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference to + a container image in the registry. Example: + ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take if the + JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform the + variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include + resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name + or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used + to populate each generated resource. At most one of + Data or Clone can be specified. If neither are provided, + the generated resource will be created with default + data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: Selector is a label selector. Label + keys and values in `matchLabels`. wildcard characters + are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration + used to populate each generated resource. At most + one of Data or Clone must be specified. If neither + are provided, the generated resource will be created + with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated + resources will be overwritten with resource data from + Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string + key: + description: Key is an optional name of the field + within 'path' that will be used to uniquely identify + an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be + available under 'images.' in the context. + If this field is not defined, image entries will + appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should + be slash-separated. Each slash-separated key must + be a valid YAML key or a wildcard '*'. Wildcard + keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This + is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds + to ImageExtractorConfigs. This config is only valid for + verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule + should be applied. The match criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic + merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC + 6902 JSON Patch declarations used to modify + resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." + type: string + namespace: + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must + be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` + statements) is also supported for backwards + compatibility but will be deprecated in + the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to + use the current list element as the scope for + validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used + as the validation scope within the foreach block + to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate + OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor + or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for + Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name + of the Pod Security Standard control. See: + https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each + image is the image name consisting of the + registry address, repository, image, and + tag. Empty list matches no containers, PSS + checks are applied at the pod level only. + Wildcards (''*'' and ''?'') are allowed. + See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values + are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, + v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated + to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for + signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long + there are predicates that match the predicate + type. + items: + description: AnyAllConditions consists of + conditions wrapped denoting a logical criteria + to be fulfilled. AnyConditions get fulfilled + when at least one of its sub-conditions + passes. AllConditions get fulfilled only + when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must + match (a logical OR). If the count contains + a value N, then N must be less than or equal + to the size of entries, and at least N entries + must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or a + nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, the + system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a Key + Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository will + override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: 'ImageReferences is a list of matching + image reference patterns. At least one pattern in + the list must match the image for the rule to apply. + Each image reference consists of a registry address + (defaults to docker.io), repository, image, and + tag (defaults to latest). Wildcards (''*'' and ''?'') + are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI + repository to use for image signatures and attestations + that match this rule. If specified Repository will + override the default OCI image repository configured + for the installation. The repository can also be + overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: RuleCountStatus contains four variables which describes + counts for validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: Message is a human readable message indicating details + about the generation of validating admission policy It is an + empty string when validating admission policy is successfully + generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.admission + name: ADMISSION + type: boolean + - jsonPath: .spec.background + name: BACKGROUND + type: boolean + - jsonPath: .spec.validationFailureAction + name: VALIDATE ACTION + type: string + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: READY + type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date + - jsonPath: .spec.failurePolicy + name: FAILURE POLICY + priority: 1 + type: string + - jsonPath: .status.rulecount.validate + name: VALIDATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: MUTATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: GENERATE + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: VERIFY IMAGES + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string + name: v2beta1 + schema: + openAPIV3Schema: + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines policy behaviors and contains one or more rules. + properties: + admission: + default: true + description: Admission controls if rules are applied during admission. + Optional. Default value is "true". + type: boolean + applyRules: + description: ApplyRules controls how rules in a policy are applied. + Rule are processed in the order of declaration. When set to `One` + processing stops after a rule has been applied i.e. the rule matches + and results in a pass, fail, or error. When set to `All` all rules + in the policy are processed. The default is `All`. + enum: + - All + - One + type: string + background: + default: true + description: Background controls if rules are applied to existing + resources during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean + failurePolicy: + description: FailurePolicy defines how unexpected policy errors and + webhook response timeout errors are handled. Rules within the same + policy share the same failure behavior. Allowed values are Ignore + or Fail. Defaults to Fail. + enum: + - Ignore + - Fail + type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean + generateExistingOnPolicyUpdate: + description: Deprecated, use generateExisting instead + type: boolean + mutateExistingOnPolicyUpdate: + description: MutateExistingOnPolicyUpdate controls if a mutateExisting + policy is applied on policy events. Default value is "false". + type: boolean + rules: + description: Rules is a list of Rule instances. A Policy contains + multiple rules and each rule can validate, mutate, or generate resources. + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match declaration + to select resources, and an optional exclude declaration to specify + which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a policy + rule should be applied by evaluating a set of CEL conditions. + It can only be used with the validate.cel subrule + items: + description: MatchCondition represents a condition which must + by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression which + will be evaluated by CEL. Must evaluate to bool. CEL + expressions have access to the contents of the AdmissionRequest + and Authorizer, organized into CEL variables: \n 'object' + - The object from the incoming request. The value is + null for DELETE requests. 'oldObject' - The existing + object. The value is null for CREATE requests. 'request' + - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform + authorization checks for the principal (user or service + account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed + from the 'authorizer' and configured with the request + resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match condition, + used for strategic merging of MatchConditions, as well + as providing an identifier for logging purposes. A good + name should be descriptive of the associated expression. + Name must be a qualified name consisting of alphanumeric + characters, '-', '_' or '.', and must start and end + with an alphanumeric character (e.g. 'MyName', or 'my.name', + \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources that + can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a APILookup + must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. + properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the JSON response + returned from the server. For example a JMESPath + of "items | length(@)" applied to the API server + response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used in + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an OCI/Docker + V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match Expression + that can be used to transform the ImageData struct + returned as a result of processing the image reference. + type: string + reference: + description: 'Reference is image reference to a container + image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath context + variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary JSON + object that the variable may take if the JMESPath + expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath Expression + that can be used to transform the variable. + type: string + value: + description: Value is any arbitrary JSON object representable + in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the name or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used to + populate each generated resource. At most one of Data + or Clone can be specified. If neither are provided, the + generated resource will be created with default data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source resource + used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource namespace. + type: string + selector: + description: Selector is a label selector. Label keys + and values in `matchLabels`. wildcard characters are + not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration used + to populate each generated resource. At most one of Data + or Clone must be specified. If neither are provided, the + generated resource will be created with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. If + Synchronize is set to "true" changes to generated resources + will be overwritten with resource data from Data or the + resource specified in the Clone declaration. Optional. + Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string + key: + description: Key is an optional name of the field within + 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be available + under 'images.' in the context. If this field + is not defined, image entries will appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should be + slash-separated. Each slash-separated key must be + a valid YAML key or a wildcard '*'. Wildcard keys + are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This is + useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds to + ImageExtractorConfigs. This config is only valid for verifyImages + rules. + type: object + match: + description: MatchResources defines when this policy rule should + be applied. The match criteria can include resource information + (e.g. kind, name, namespace, labels) and admission review + request information like the user name or role. At least one + kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" + between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and "?" + (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated + in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key + and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the + wildcard characters `*` (matches zero or many + characters) and `?` (matches one character). + Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" + : "*"] matches any key and value but does not + match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to the + object or user identities a role binding applies + to. This can either hold a direct API object + reference, or a value for non-objects such as + user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of + the referenced subject. Defaults to "" for + ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as + "User" or "Group", and this value is not empty + the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified + logic. + properties: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 + JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge patch + used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to be + mutated. + items: + description: TargetResourceSpec defines targets for mutating + existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional + rule execution. This is useful for finer control of when + an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need + to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation + to perform. Valid operators are: Equals, NotEquals, + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set + of values. The values can be fixed set or can be + variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based conditional + rule execution. This is useful for finer control of when + an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions + need to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation + to perform. Valid operators are: Equals, NotEquals, + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, or set + of values. The values can be fixed set or can be + variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the Common + Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for the + audit event of the API request. + items: + description: AuditAnnotation describes how to produce + an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than + 63 bytes in length. \n The key is combined with + the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook uses + the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the first + annotation written with the key will be included + in the audit event and all subsequent annotations + with the same key will be discarded. \n Required." + type: string + valueExpression: + description: "valueExpression represents the expression + which is evaluated by CEL to produce an audit + annotation value. The expression must evaluate + to either a string or null value. If the expression + evaluates to a string, the audit annotation + is included with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If the + result of the valueExpression is more than 10kb + in length, it will be truncated to 10kb. \n + If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the valueExpression + will be evaluated for each binding. All unique + values produced by the valueExpressions will + be joined together in a comma-separated list. + \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful variables: + \n - 'object' - The object from the incoming + request. The value is null for DELETE requests. + - 'oldObject' - The existing object. The value + is null for CREATE requests. - 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind. - 'namespaceObject' + - The namespace object that the incoming object + belongs to. The value is null for cluster-scoped + resources. - 'variables' - Map of composited + variables, from its name to its lazily evaluated + value. For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform authorization + checks for the principal (user or service account) + of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the object. + No other metadata properties are accessible. + \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible. Accessible property names are + escaped according to the following rules when + accessed in the expression: - '__' escapes to + '__underscores__' - '.' escapes to '__dot__' + - '-' escapes to '__dash__' - '/' escapes to + '__slash__' - Property names that exactly match + a CEL RESERVED keyword escape to '__{keyword}__'. + The keywords are: \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", \"import\", + \"let\", \"loop\", \"package\", \"namespace\", + \"return\". Examples: - Expression accessing + a property named \"namespace\": {\"Expression\": + \"object.__namespace__ > 0\"} - Expression accessing + a property named \"x-prop\": {\"Expression\": + \"object.x__dash__prop > 0\"} - Expression accessing + a property named \"redact__d\": {\"Expression\": + \"object.redact__underscores__d > 0\"} \n Equality + on arrays with list type of 'set' or 'map' ignores + element order, i.e. [1, 2] == [2, 1]. Concatenation + on arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + Y` + performs a union where the array positions of + all elements in `X` are preserved and non-intersecting + elements in `Y` are appended, retaining their + partial order. - 'map': `X + Y` performs a merge + where the array positions of all keys in `X` + are preserved but the values are overwritten + by values in `Y` when the key sets of `X` and + `Y` intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial order. + Required." + type: string + message: + description: 'Message represents the message displayed + when validation fails. The message is required + if the Expression contains line breaks. The + message must not contain line breaks. If unset, + the message is "failed rule: {Rule}". e.g. "must + be a URL with the host matching spec.host" If + the Expression contains line breaks. Message + is required. The message must not contain line + breaks. If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a CEL + expression that evaluates to the validation + failure message that is returned when this rule + fails. Since messageExpression is used as a + failure message, it must evaluate to a string. + If both message and messageExpression are present + on a validation, then messageExpression will + be used if validation fails. If messageExpression + results in a runtime error, the runtime error + is logged, and the validation failure message + is produced as if the messageExpression field + were unset. If messageExpression evaluates to + an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also be + produced as if the messageExpression field were + unset, and the fact that messageExpression produced + an empty string/string with only spaces/string + with line breaks will be logged. messageExpression + has access to all the same variables as the + `expression` except for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. If + this is the first validation in the list to + fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP response + to the client. The currently supported reasons + are: "Unauthorized", "Forbidden", "Invalid", + "RequestEntityTooLarge". If not set, StatusReasonInvalid + is used in the response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind and + Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` are + mutually exclusive properties. If one is set, + the other must be unset." + type: string + namespace: + description: "namespace is the namespace of the + referenced resource. Allows limiting the search + for params to a specific namespace. Applies to + both `name` and `selector` fields. \n A per-namespace + parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field + empty. \n - If `paramKind` is cluster-scoped, + this field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the object + being evaluated for admission will be used when + this field is left unset. Take care that if this + is left empty the binding must not match any cluster-scoped + resources, which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but there + are no parameters matched by the binding. If the + value is set to `Allow`, then no matched parameters + will be treated as successful validation by the + binding. If set to `Deny`, then no matched parameters + will be subject to the `failurePolicy` of the + policy. \n Allowed values are `Allow` or `Deny` + Default to `Deny`" + type: string + selector: + description: "selector can be used to match multiple + param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. \n + If multiple params are found, they are all evaluated + with the policy expressions and the results are + ANDed together. \n One of `name` or `selector` + must be set, but `name` and `selector` are mutually + exclusive properties. If one is set, the other + must be unset." + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression that + will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers + as the CEL expressions in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier and + unique among all variables. The variable can + be accessed in other expressions through `variables` + For example, if name is "foo", the variable + will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, all of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, + AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A condition + can reference object data using JMESPath notation. + Here, at least one of the conditions need to pass. + items: + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, + AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a + list of OCI Registry names, whose + authentication providers are provided + It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list + of secrets that are provided for credentials + Secrets must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to use + the current list element as the scope for validation. + Defaults to "true" if not specified. When set to + "false", "request.object" is used as the validation + scope within the foreach block to allow referencing + other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which the + validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful for + finer control of when an rule is applied. A + condition can reference object data using JMESPath + notation. Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry (using + JMESPath) for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, + DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional value, + or set of values. The values can be fixed + set or can be variables declared using + JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of annotation + for message and signature. Default is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must match + (a logical OR). If the count contains a value + N, then N must be less than or equal to the + size of entries, and at least N entries must + match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes + for keyless verification, or a nested attestor + declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other + key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots + are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image signatures. + The keys can be directly specified + or can be a variable reference to + a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster by + specifying it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public + key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) + within the set of attestors and the + count is applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use + for a custom Rekor. If set, is + used to validate signatures on + log entries from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If + specified Repository will override other + OCI image repository locations for this + Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while comparing + manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate OCI + repository to use for resource bundle reference. The + repository can be overridden per Attestor or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be displayed + on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for Pod + Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security Standard + controls to be excluded. + items: + description: PodSecurityStandard specifies the Pod + Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name of + the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each image + is the image name consisting of the registry + address, repository, image, and tag. Empty list + matches no containers, PSS checks are applied + at the pod level only. Wildcards (''*'' and + ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values are + privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, + v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated to + include the SHA digest retrieved during the registration. + properties: + attestations: + description: Attestations are optional checks for signed + in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. + Kyverno fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. See + https://github.com/in-toto/attestation. Kyverno fetches + signed attestations from the OCI registry and decodes + them into a list of Statements. + properties: + attestors: + description: Attestors specify the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there + are predicates that match the predicate type. + items: + description: AnyAllConditions consists of conditions + wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one + of its sub-conditions passes. AllConditions + get fulfilled only when all of its sub-conditions + pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', to + be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is null, + all entries must match (a logical AND). If the + count is 1, at least one entry must match (a logical + OR). If the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available attestors. + An attestor can be a static key, attributes for + keyless verification, or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for image + verification. Every specified key-value + pair must exist and match in the verified + payload. The payload may contain other key-value + pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of match + authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one or + more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an optional + PEM encoded set of certificates used + to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions are + certificate-extensions used for keyless + signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional set + of PEM encoded trusted root certificates. + If not provided, the system roots are + used. + type: string + subject: + description: Subject is the verified identity + used for keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one or more public + keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires that + a certificate contain an embedded + SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI to + the public key stored in a Key Management + System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 public + keys used to verify image signatures. + The keys can be directly specified or + can be a variable reference to a key + specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying + it in the format "k8s:///". + The named Secret must specify a key + `cosign.pub` containing the public key + used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each + key is processed as a separate staticKey + entry (.attestors[*].entries.keys) within + the set of attestors and the count is + applied across the keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the public + instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an optional + PEM encoded public key to use for + a custom Rekor. If set, is used + to validate signatures on log entries + from Rekor. + type: string + url: + description: URL is the address of + the transparency log. Defaults to + the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret resource + that contains a public key + properties: + name: + description: Name of the secret. The + provided secret must contain a key + named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values are + sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional alternate + OCI repository to use for signatures and + attestations that match this rule. If specified + Repository will override other OCI image + repository locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + imageReferences: + description: 'ImageReferences is a list of matching image + reference patterns. At least one pattern in the list + must match the image for the rule to apply. Each image + reference consists of a registry address (defaults to + docker.io), repository, image, and tag (defaults to + latest). Wildcards (''*'' and ''?'') are allowed. See: + https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI Registry + names, whose authentication providers are provided + It can be of one of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets that + are provided for credentials Secrets must live in + the Kyverno namespace + items: + type: string + type: array + type: object + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI repository + to use for image signatures and attestations that match + this rule. If specified Repository will override the + default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or + Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have a + digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + schemaValidation: + description: SchemaValidation skips validation checks for policies + as well as patched resources. Optional. The default value is set + to "true", it must be set to "false" to disable the validation checks. + type: boolean + useServerSideApply: + description: UseServerSideApply controls whether to use server-side + apply for generate rules If is set to "true" create & update for + generate rules will use apply instead of create/update. Defaults + to "false" if not specified. + type: boolean + validationFailureAction: + default: Audit + description: ValidationFailureAction defines if a validation policy + rule violation should block the admission review request (enforce), + or allow (audit) the admission review request and report an error + in a policy report. Optional. Allowed values are audit or enforce. + The default value is "Audit". + enum: + - audit + - enforce + - Audit + - Enforce + type: string + validationFailureActionOverrides: + description: ValidationFailureActionOverrides is a Cluster Policy + attribute that specifies ValidationFailureAction namespace-wise. + It overrides ValidationFailureAction for the specified namespaces. + items: + properties: + action: + description: ValidationFailureAction defines the policy validation + failure action + enum: + - audit + - enforce + - Audit + - Enforce + type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + type: object + type: array + webhookTimeoutSeconds: + description: WebhookTimeoutSeconds specifies the maximum time in seconds + allowed to apply this policy. After the configured time expires, + the admission request may fail, or may simply ignore the policy + results, based on the failure policy. The default timeout is 10s, + the value must be between 1 and 30 seconds. + format: int32 + type: integer + type: object + status: + description: Status contains policy runtime data. + properties: + autogen: + description: AutogenStatus contains autogen status information. + properties: + rules: + description: Rules is a list of Rule instances. It contains auto + generated rules added for pod controllers + items: + description: Rule defines a validation, mutation, or generation + control for matching resources. Each rules contains a match + declaration to select resources, and an optional exclude declaration + to specify which resources to exclude. + properties: + celPreconditions: + description: CELPreconditions are used to determine if a + policy rule should be applied by evaluating a set of CEL + conditions. It can only be used with the validate.cel + subrule + items: + description: MatchCondition represents a condition which + must by fulfilled for a request to be sent to a webhook. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents + of the AdmissionRequest and Authorizer, organized + into CEL variables: \n 'object' - The object from + the incoming request. The value is null for DELETE + requests. 'oldObject' - The existing object. The + value is null for CREATE requests. 'request' - Attributes + of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to + perform authorization checks for the principal (user + or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. Documentation on CEL: + https://kubernetes.io/docs/reference/using-api/cel/ + \n Required." + type: string + name: + description: "Name is an identifier for this match + condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. + A good name should be descriptive of the associated + expression. Name must be a qualified name consisting + of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character + (e.g. 'MyName', or 'my.name', or '123-abc', regex + used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') + with an optional DNS subdomain prefix and '/' (e.g. + 'example.com/MyName') \n Required." + type: string + required: + - expression + - name + type: object + type: array + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data sources + to a rule Context. Either a ConfigMap reference or a + APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. + properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to be used + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests to an + OCI/Docker V2 registry to fetch image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials provides + credentials that will be used for authentication + with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows + insecure access to a registry + type: boolean + providers: + description: 'Providers specifies a list of + OCI Registry names, whose authentication + providers are provided It can be of one + of these values: AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets + must live in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional JSON Match + Expression that can be used to transform the + ImageData struct returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference to + a container image in the registry. Example: + ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take if the + JMESPath expression evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform the + variable. + type: string + value: + description: Value is any arbitrary JSON object + representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + exclude: + description: ExcludeResources defines when this policy rule + should not be applied. The exclude criteria can include + resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name + or role. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + generate: + description: Generation is used to create new resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + clone: + description: Clone specifies the source resource used + to populate each generated resource. At most one of + Data or Clone can be specified. If neither are provided, + the generated resource will be created with default + data only. + properties: + name: + description: Name specifies name of the resource. + type: string + namespace: + description: Namespace specifies source resource + namespace. + type: string + type: object + cloneList: + description: CloneList specifies the list of source + resource used to populate each generated resource. + properties: + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + namespace: + description: Namespace specifies source resource + namespace. + type: string + selector: + description: Selector is a label selector. Label + keys and values in `matchLabels`. wildcard characters + are not supported. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + data: + description: Data provides the resource declaration + used to populate each generated resource. At most + one of Data or Clone must be specified. If neither + are provided, the generated resource will be created + with default data only. + x-kubernetes-preserve-unknown-fields: true + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + synchronize: + description: Synchronize controls if generated resources + should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated + resources will be overwritten with resource data from + Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. + type: boolean + type: object + imageExtractors: + additionalProperties: + items: + properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string + key: + description: Key is an optional name of the field + within 'path' that will be used to uniquely identify + an image. Note - this field MUST be unique. + type: string + name: + description: Name is the entry the image will be + available under 'images.' in the context. + If this field is not defined, image entries will + appear under 'images.custom'. + type: string + path: + description: Path is the path to the object containing + the image field in a custom resource. It should + be slash-separated. Each slash-separated key must + be a valid YAML key or a wildcard '*'. Wildcard + keys are expanded in case of arrays or objects. + type: string + value: + description: Value is an optional name of the field + within 'path' that points to the image URI. This + is useful when a custom 'key' is also defined. + type: string + required: + - path + type: object + type: array + description: ImageExtractors defines a mapping from kinds + to ImageExtractorConfigs. This config is only valid for + verifyImages rules. + type: object + match: + description: MatchResources defines when this policy rule + should be applied. The match criteria can include resource + information (e.g. kind, name, namespace, labels) and admission + review request information like the user name or role. + At least one kind is required. + properties: + all: + description: All allows specifying resources which will + be ANDed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will + be ORed + items: + description: ResourceFilter allow users to "AND" or + "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation + keys and values support the wildcard characters + "*" (matches zero or many characters) and + "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). NOTE: "Name" is + being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" + (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label + selector for the resource namespace. Label + keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character).Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and + "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support + the wildcard characters `*` (matches zero + or many characters) and `?` (matches one + character). Wildcards allows writing label + selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any + key and value but does not match an empty + label set.' + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents + a key's relationship to a set + of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values array + must be non-empty. If the operator + is Exists or DoesNotExist, the + values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role + names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names + like users, user groups, and service accounts. + items: + description: Subject contains a reference to + the object or user identities a role binding + applies to. This can either hold a direct + API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group + of the referenced subject. Defaults to + "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User + and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind + value, the Authorizer should report an + error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced + object. If the object kind is non-namespace, + such as "User" or "Group", and this value + is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + clusterRoles: + description: ClusterRoles is the list of cluster-wide + role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information + about the resource being created or modified. Requires + at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match + is being deprecated. Please specify under "any" or + "all" instead. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations + (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" + (matches zero or many characters) and "?" (matches + at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. + The name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). NOTE: "Name" is being deprecated in + favor of "Names".' + type: string + names: + description: Names are the names of the resources. + Each name supports wildcard characters "*" (matches + zero or many characters) and "?" (at least one + character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector + for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters + `*` (matches zero or many characters) and `?` + (matches one character).Wildcards allows writing + label selectors like ["storage.k8s.io/*": "*"]. + Note that using ["*" : "*"] matches any key and + value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces + names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" + (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label + keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) + and `?` (matches one character). Wildcards allows + writing label selectors like ["storage.k8s.io/*": + "*"]. Note that using ["*" : "*"] matches any + key and value but does not match an empty label + set.' + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names + for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like + users, user groups, and service accounts. + items: + description: Subject contains a reference to the object + or user identities a role binding applies to. This + can either hold a direct API object reference, or + a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the + referenced subject. Defaults to "" for ServiceAccount + subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. + Values defined by this API group are "User", + "Group", and "ServiceAccount". If the Authorizer + does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If + the object kind is non-namespace, such as "User" + or "Group", and this value is not empty the + Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + mutate: + description: Mutation is used to modify matching resources. + properties: + foreach: + description: ForEach applies mutation rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string + patchStrategicMerge: + description: PatchStrategicMerge is a strategic + merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC + 6902 JSON Patch declarations used to modify + resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + patchStrategicMerge: + description: PatchStrategicMerge is a strategic merge + patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + x-kubernetes-preserve-unknown-fields: true + patchesJson6902: + description: PatchesJSON6902 is a list of RFC 6902 JSON + Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 + and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + type: string + targets: + description: Targets defines the target resources to + be mutated. + items: + description: TargetResourceSpec defines targets for + mutating existing resources. + properties: + apiVersion: + description: APIVersion specifies resource apiVersion. + type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must + be unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + cel: + description: CEL allows validation checks using the + Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). + properties: + auditAnnotations: + description: AuditAnnotations contains CEL expressions + which are used to produce audit annotations for + the audit event of the API request. + items: + description: AuditAnnotation describes how to + produce an audit annotation for an API request. + properties: + key: + description: "key specifies the audit annotation + key. The audit annotation keys of a ValidatingAdmissionPolicy + must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more + than 63 bytes in length. \n The key is combined + with the resource name of the ValidatingAdmissionPolicy + to construct an audit annotation key: \"{ValidatingAdmissionPolicy + name}/{key}\". \n If an admission webhook + uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation + key will be identical. In this case, the + first annotation written with the key will + be included in the audit event and all subsequent + annotations with the same key will be discarded. + \n Required." + type: string + valueExpression: + description: "valueExpression represents the + expression which is evaluated by CEL to + produce an audit annotation value. The expression + must evaluate to either a string or null + value. If the expression evaluates to a + string, the audit annotation is included + with the string value. If the expression + evaluates to null or empty string the audit + annotation will be omitted. The valueExpression + may be no longer than 5kb in length. If + the result of the valueExpression is more + than 10kb in length, it will be truncated + to 10kb. \n If multiple ValidatingAdmissionPolicyBinding + resources match an API request, then the + valueExpression will be evaluated for each + binding. All unique values produced by the + valueExpressions will be joined together + in a comma-separated list. \n Required." + type: string + required: + - key + - valueExpression + type: object + type: array + expressions: + description: Expressions is a list of CELExpression + types. + items: + description: Validation specifies the CEL expression + which is used to apply the validation. + properties: + expression: + description: "Expression represents the expression + which will be evaluated by CEL. ref: https://github.com/google/cel-spec + CEL expressions have access to the contents + of the API request/response, organized into + CEL variables as well as some other useful + variables: \n - 'object' - The object from + the incoming request. The value is null + for DELETE requests. - 'oldObject' - The + existing object. The value is null for CREATE + requests. - 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). + - 'params' - Parameter resource referred + to by the policy binding being evaluated. + Only populated if the policy has a ParamKind. + - 'namespaceObject' - The namespace object + that the incoming object belongs to. The + value is null for cluster-scoped resources. + - 'variables' - Map of composited variables, + from its name to its lazily evaluated value. + For example, a variable named 'foo' can + be accessed as 'variables.foo'. - 'authorizer' + - A CEL Authorizer. May be used to perform + authorization checks for the principal (user + or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + - 'authorizer.requestResource' - A CEL ResourceCheck + constructed from the 'authorizer' and configured + with the request resource. \n The `apiVersion`, + `kind`, `metadata.name` and `metadata.generateName` + are always accessible from the root of the + object. No other metadata properties are + accessible. \n Only property names of the + form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are + accessible. Accessible property names are + escaped according to the following rules + when accessed in the expression: - '__' + escapes to '__underscores__' - '.' escapes + to '__dot__' - '-' escapes to '__dash__' + - '/' escapes to '__slash__' - Property + names that exactly match a CEL RESERVED + keyword escape to '__{keyword}__'. The keywords + are: \"true\", \"false\", \"null\", \"in\", + \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\", + \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\". Examples: - Expression + accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ + > 0\"} - Expression accessing a property + named \"x-prop\": {\"Expression\": \"object.x__dash__prop + > 0\"} - Expression accessing a property + named \"redact__d\": {\"Expression\": \"object.redact__underscores__d + > 0\"} \n Equality on arrays with list type + of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1]. Concatenation on + arrays with x-kubernetes-list-type use the + semantics of the list type: - 'set': `X + + Y` performs a union where the array positions + of all elements in `X` are preserved and + non-intersecting elements in `Y` are appended, + retaining their partial order. - 'map': + `X + Y` performs a merge where the array + positions of all keys in `X` are preserved + but the values are overwritten by values + in `Y` when the key sets of `X` and `Y` + intersect. Elements in `Y` with non-intersecting + keys are appended, retaining their partial + order. Required." + type: string + message: + description: 'Message represents the message + displayed when validation fails. The message + is required if the Expression contains line + breaks. The message must not contain line + breaks. If unset, the message is "failed + rule: {Rule}". e.g. "must be a URL with + the host matching spec.host" If the Expression + contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: + {Expression}".' + type: string + messageExpression: + description: 'messageExpression declares a + CEL expression that evaluates to the validation + failure message that is returned when this + rule fails. Since messageExpression is used + as a failure message, it must evaluate to + a string. If both message and messageExpression + are present on a validation, then messageExpression + will be used if validation fails. If messageExpression + results in a runtime error, the runtime + error is logged, and the validation failure + message is produced as if the messageExpression + field were unset. If messageExpression evaluates + to an empty string, a string with only spaces, + or a string that contains line breaks, then + the validation failure message will also + be produced as if the messageExpression + field were unset, and the fact that messageExpression + produced an empty string/string with only + spaces/string with line breaks will be logged. + messageExpression has access to all the + same variables as the `expression` except + for ''authorizer'' and ''authorizer.requestResource''. + Example: "object.x must be less than max + ("+string(params.max)+")"' + type: string + reason: + description: 'Reason represents a machine-readable + description of why this validation failed. + If this is the first validation in the list + to fail, this reason, as well as the corresponding + HTTP response code, are used in the HTTP + response to the client. The currently supported + reasons are: "Unauthorized", "Forbidden", + "Invalid", "RequestEntityTooLarge". If not + set, StatusReasonInvalid is used in the + response to the client.' + type: string + required: + - expression + type: object + type: array + paramKind: + description: ParamKind is a tuple of Group Kind + and Version. + properties: + apiVersion: + description: APIVersion is the API group version + the resources belong to. In format of "group/version". + Required. + type: string + kind: + description: Kind is the API kind the resources + belong to. Required. + type: string + type: object + x-kubernetes-map-type: atomic + paramRef: + description: ParamRef references a parameter resource. + properties: + name: + description: "`name` is the name of the resource + being referenced. \n `name` and `selector` + are mutually exclusive properties. If one + is set, the other must be unset." + type: string + namespace: + description: "namespace is the namespace of + the referenced resource. Allows limiting the + search for params to a specific namespace. + Applies to both `name` and `selector` fields. + \n A per-namespace parameter may be used by + specifying a namespace-scoped `paramKind` + in the policy and leaving this field empty. + \n - If `paramKind` is cluster-scoped, this + field MUST be unset. Setting this field results + in a configuration error. \n - If `paramKind` + is namespace-scoped, the namespace of the + object being evaluated for admission will + be used when this field is left unset. Take + care that if this is left empty the binding + must not match any cluster-scoped resources, + which will result in an error." + type: string + parameterNotFoundAction: + description: "`parameterNotFoundAction` controls + the behavior of the binding when the resource + exists, and name or selector is valid, but + there are no parameters matched by the binding. + If the value is set to `Allow`, then no matched + parameters will be treated as successful validation + by the binding. If set to `Deny`, then no + matched parameters will be subject to the + `failurePolicy` of the policy. \n Allowed + values are `Allow` or `Deny` Default to `Deny`" + type: string + selector: + description: "selector can be used to match + multiple param objects based on their labels. + Supply selector: {} to match all resources + of the ParamKind. \n If multiple params are + found, they are all evaluated with the policy + expressions and the results are ANDed together. + \n One of `name` or `selector` must be set, + but `name` and `selector` are mutually exclusive + properties. If one is set, the other must + be unset." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + x-kubernetes-map-type: atomic + variables: + description: Variables contain definitions of variables + that can be used in composition of other expressions. + Each variable is defined as a named CEL expression. + The variables defined here will be available under + `variables` in other expressions of the policy. + items: + description: Variable is the definition of a variable + that is used for composition. + properties: + expression: + description: Expression is the expression + that will be evaluated as the value of the + variable. The CEL expression has access + to the same identifiers as the CEL expressions + in Validation. + type: string + name: + description: Name is the name of the variable. + The name must be a valid CEL identifier + and unique among all variables. The variable + can be accessed in other expressions through + `variables` For example, if name is "foo", + the variable will be available as `variables.foo` + type: string + required: + - expression + - name + type: object + type: array + type: object + deny: + description: Deny defines conditions used to pass or + fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) + is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list + of sub-elements by creating a context for each entry + in the list and looping over it to apply the specified + logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must + be satisfied for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + imageRegistryCredentials: + description: ImageRegistryCredentials + provides credentials that will be + used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry + allows insecure access to a registry + type: boolean + providers: + description: 'Providers specifies + a list of OCI Registry names, + whose authentication providers + are provided It can be of one + of these values: AWS, ACR, GCP, + GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential + providers required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a + list of secrets that are provided + for credentials Secrets must live + in the Kyverno namespace + items: + type: string + type: array + type: object + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + deny: + description: Deny defines conditions used to pass + or fail a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared + under an `any` or `all` statement. A direct + list of conditions (without `any` or `all` + statements) is also supported for backwards + compatibility but will be deprecated in + the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + elementScope: + description: ElementScope specifies whether to + use the current list element as the scope for + validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used + as the validation scope within the foreach block + to allow referencing other elements in the subtree. + type: boolean + foreach: + description: Foreach declares a nested foreach + iterator + x-kubernetes-preserve-unknown-fields: true + list: + description: List specifies a JMESPath expression + that results in one or more elements to which + the validation logic is applied. + type: string + pattern: + description: Pattern specifies an overlay-style + pattern used to check resources. + x-kubernetes-preserve-unknown-fields: true + preconditions: + description: 'AnyAllConditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, all of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is useful + for finer control of when an rule is applied. + A condition can reference object data using + JMESPath notation. Here, at least one of + the conditions need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context entry + (using JMESPath) for conditional rule + evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + manifests: + description: Manifest specifies conditions for manifest + verification + properties: + annotationDomain: + description: AnnotationDomain is custom domain of + annotation for message and signature. Default + is "cosign.sigstore.dev". + type: string + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If the + count is null, all entries must match (a + logical AND). If the count is 1, at least + one entry must match (a logical OR). If + the count contains a value N, then N must + be less than or equal to the size of entries, + and at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or + a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set + of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is + an optional PEM encoded set of + certificates used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless + attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, + the system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the + value is nil, default ctlog public + key is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if + set, is used to validate SCTs + against those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a + Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable + reference to a key specified in + a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log + service. If an empty object is + provided the public instance of + Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip + tlog verification + type: boolean + pubkey: + description: RekorPubKey is + an optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries + from Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository + will override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + dryRun: + description: DryRun configuration + properties: + enable: + type: boolean + namespace: + type: string + type: object + ignoreFields: + description: Fields which will be ignored while + comparing manifests. + items: + properties: + fields: + items: + type: string + type: array + objects: + items: + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + version: + type: string + type: object + type: array + type: object + type: array + repository: + description: Repository is an optional alternate + OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor + or Attestation. + type: string + type: object + message: + description: Message specifies a custom message to be + displayed on failure. + type: string + pattern: + description: Pattern specifies an overlay-style pattern + used to check resources. + x-kubernetes-preserve-unknown-fields: true + podSecurity: + description: PodSecurity applies exemptions for Kubernetes + Pod Security admission by specifying exclusions for + Pod Security Standards controls. + properties: + exclude: + description: Exclude specifies the Pod Security + Standard controls to be excluded. + items: + description: PodSecurityStandard specifies the + Pod Security Standard controls to be excluded. + properties: + controlName: + description: 'ControlName specifies the name + of the Pod Security Standard control. See: + https://kubernetes.io/docs/concepts/security/pod-security-standards/' + enum: + - HostProcess + - Host Namespaces + - Privileged Containers + - Capabilities + - HostPath Volumes + - Host Ports + - AppArmor + - SELinux + - /proc Mount Type + - Seccomp + - Sysctls + - Volume Types + - Privilege Escalation + - Running as Non-root + - Running as Non-root user + type: string + images: + description: 'Images selects matching containers + and applies the container level PSS. Each + image is the image name consisting of the + registry address, repository, image, and + tag. Empty list matches no containers, PSS + checks are applied at the pod level only. + Wildcards (''*'' and ''?'') are allowed. + See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + required: + - controlName + type: object + type: array + level: + description: Level defines the Pod Security Standard + level to be applied to workloads. Allowed values + are privileged, baseline, and restricted. + enum: + - privileged + - baseline + - restricted + type: string + version: + description: Version defines the Pod Security Standard + versions that Kubernetes supports. Allowed values + are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, + v1.25, v1.26, latest. Defaults to latest. + enum: + - v1.19 + - v1.20 + - v1.21 + - v1.22 + - v1.23 + - v1.24 + - v1.25 + - v1.26 + - latest + type: string + type: object + type: object + verifyImages: + description: VerifyImages is used to verify image signatures + and mutate them to add a digest + items: + description: ImageVerification validates that images that + match the specified pattern are signed with the supplied + public key. Once the image is verified it is mutated + to include the SHA digest retrieved during the registration. + properties: + additionalExtensions: + additionalProperties: + type: string + description: Deprecated. + type: object + annotations: + additionalProperties: + type: string + description: Deprecated. Use annotations per Attestor + instead. + type: object + attestations: + description: Attestations are optional checks for + signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statement declarations. + items: + description: Attestation are checks for signed in-toto + Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno + fetches signed attestations from the OCI registry + and decodes them into a list of Statements. + properties: + attestors: + description: Attestors specify the required + attestors (i.e. authorities) + items: + properties: + count: + description: Count specifies the required + number of entries that must match. If + the count is null, all entries must + match (a logical AND). If the count + is 1, at least one entry must match + (a logical OR). If the count contains + a value N, then N must be less than + or equal to the size of entries, and + at least N entries must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static + key, attributes for keyless verification, + or a nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used + for image verification. Every + specified key-value pair must + exist and match in the verified + payload. The payload may contain + other key-value pairs. + type: object + attestor: + description: Attestor is a nested + AttestorSet used to specify a + more complex set of match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies + one or more certificates + properties: + cert: + description: Certificate is + an optional PEM encoded public + certificate. + type: string + certChain: + description: CertificateChain + is an optional PEM encoded + set of certificates used to + verify + type: string + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of + attribute used to verify a Sigstore + keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions + used for keyless signing. + type: object + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted + root certificates. If not + provided, the system roots + are used. + type: string + subject: + description: Subject is the + verified identity used for + keyless signing, for example + the email address + type: string + type: object + keys: + description: Keys specifies one + or more public keys + properties: + ctlog: + description: CTLog provides + configuration for validation + of SCTs. If the value is nil, + default ctlog public key is + used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain + an embedded SCT during + verification. + type: boolean + pubkey: + description: CTLogPubKey, + if set, is used to validate + SCTs against those keys. + type: string + type: object + kms: + description: 'KMS provides the + URI to the public key stored + in a Key Management System. + See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of + X.509 public keys used to + verify image signatures. The + keys can be directly specified + or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format + "k8s:///". + The named Secret must specify + a key `cosign.pub` containing + the public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a + separate staticKey entry (.attestors[*].entries.keys) + within the set of attestors + and the count is applied across + the keys. + type: string + rekor: + description: Rekor provides + configuration for the Rekor + transparency log service. + If an empty object is provided + the public instance of Rekor + (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog + skip tlog verification + type: boolean + pubkey: + description: RekorPubKey + is an optional PEM encoded + public key to use for + a custom Rekor. If set, + is used to validate signatures + on log entries from Rekor. + type: string + url: + description: URL is the + address of the transparency + log. Defaults to the public + log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a + Secret resource that contains + a public key + properties: + name: + description: Name of the + secret. The provided secret + must contain a key named + cosign.pub. + type: string + namespace: + description: Namespace name + where the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature + algorithm for public keys. + Supported values are sha256 + and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use + for signatures and attestations + that match this rule. If specified + Repository will override other + OCI image repository locations + for this Attestor. + type: string + type: object + type: array + type: object + type: array + conditions: + description: Conditions are used to verify attributes + within a Predicate. If no Conditions are specified + the attestation check is satisfied as long + there are predicates that match the predicate + type. + items: + description: AnyAllConditions consists of + conditions wrapped denoting a logical criteria + to be fulfilled. AnyConditions get fulfilled + when at least one of its sub-conditions + passes. AllConditions get fulfilled only + when all of its sub-conditions pass. + properties: + all: + description: AllConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, all of the conditions need to + pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + any: + description: AnyConditions enable variable-based + conditional rule execution. This is + useful for finer control of when an + rule is applied. A condition can reference + object data using JMESPath notation. + Here, at least one of the conditions + need to pass + items: + description: Condition defines variable-based + conditional criteria for rule execution. + properties: + key: + description: Key is the context + entry (using JMESPath) for conditional + rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string + operator: + description: 'Operator is the conditional + operation to perform. Valid operators + are: Equals, NotEquals, In, AnyIn, + AllIn, NotIn, AnyNotIn, AllNotIn, + GreaterThanOrEquals, GreaterThan, + LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, + DurationLessThan' + enum: + - Equals + - NotEquals + - In + - AnyIn + - AllIn + - NotIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: + description: Value is the conditional + value, or set of values. The values + can be fixed set or can be variables + declared using JMESPath. + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + type: array + predicateType: + description: Deprecated in favour of 'Type', + to be removed soon + type: string + type: + description: Type defines the type of attestation + contained within the Statement. + type: string + type: object + type: array + attestors: + description: Attestors specified the required attestors + (i.e. authorities) + items: + properties: + count: + description: Count specifies the required number + of entries that must match. If the count is + null, all entries must match (a logical AND). + If the count is 1, at least one entry must + match (a logical OR). If the count contains + a value N, then N must be less than or equal + to the size of entries, and at least N entries + must match. + minimum: 1 + type: integer + entries: + description: Entries contains the available + attestors. An attestor can be a static key, + attributes for keyless verification, or a + nested attestor declaration. + items: + properties: + annotations: + additionalProperties: + type: string + description: Annotations are used for + image verification. Every specified + key-value pair must exist and match + in the verified payload. The payload + may contain other key-value pairs. + type: object + attestor: + description: Attestor is a nested AttestorSet + used to specify a more complex set of + match authorities + x-kubernetes-preserve-unknown-fields: true + certificates: + description: Certificates specifies one + or more certificates + properties: + cert: + description: Certificate is an optional + PEM encoded public certificate. + type: string + certChain: + description: CertificateChain is an + optional PEM encoded set of certificates + used to verify + type: string + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + type: object + keyless: + description: Keyless is a set of attribute + used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + properties: + additionalExtensions: + additionalProperties: + type: string + description: AdditionalExtensions + are certificate-extensions used + for keyless signing. + type: object + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + issuer: + description: Issuer is the certificate + issuer used for keyless signing. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + roots: + description: Roots is an optional + set of PEM encoded trusted root + certificates. If not provided, the + system roots are used. + type: string + subject: + description: Subject is the verified + identity used for keyless signing, + for example the email address + type: string + type: object + keys: + description: Keys specifies one or more + public keys + properties: + ctlog: + description: CTLog provides configuration + for validation of SCTs. If the value + is nil, default ctlog public key + is used + properties: + ignoreSCT: + description: IgnoreSCT requires + that a certificate contain an + embedded SCT during verification. + type: boolean + pubkey: + description: CTLogPubKey, if set, + is used to validate SCTs against + those keys. + type: string + type: object + kms: + description: 'KMS provides the URI + to the public key stored in a Key + Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + type: string + publicKeys: + description: Keys is a set of X.509 + public keys used to verify image + signatures. The keys can be directly + specified or can be a variable reference + to a key specified in a ConfigMap + (see https://kyverno.io/docs/writing-policies/variables/), + or reference a standard Kubernetes + Secret elsewhere in the cluster + by specifying it in the format "k8s:///". + The named Secret must specify a + key `cosign.pub` containing the + public key used for verification, + (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified + each key is processed as a separate + staticKey entry (.attestors[*].entries.keys) + within the set of attestors and + the count is applied across the + keys. + type: string + rekor: + description: Rekor provides configuration + for the Rekor transparency log service. + If an empty object is provided the + public instance of Rekor (https://rekor.sigstore.dev) + is used. + properties: + ignoreTlog: + description: IgnoreTlog skip tlog + verification + type: boolean + pubkey: + description: RekorPubKey is an + optional PEM encoded public + key to use for a custom Rekor. + If set, is used to validate + signatures on log entries from + Rekor. + type: string + url: + description: URL is the address + of the transparency log. Defaults + to the public log https://rekor.sigstore.dev. + type: string + required: + - url + type: object + secret: + description: Reference to a Secret + resource that contains a public + key + properties: + name: + description: Name of the secret. + The provided secret must contain + a key named cosign.pub. + type: string + namespace: + description: Namespace name where + the Secret exists. + type: string + required: + - name + - namespace + type: object + signatureAlgorithm: + default: sha256 + description: Specify signature algorithm + for public keys. Supported values + are sha256 and sha512 + type: string + type: object + repository: + description: Repository is an optional + alternate OCI repository to use for + signatures and attestations that match + this rule. If specified Repository will + override other OCI image repository + locations for this Attestor. + type: string + type: object + type: array + type: object + type: array + image: + description: Deprecated. Use ImageReferences instead. + type: string + imageReferences: + description: 'ImageReferences is a list of matching + image reference patterns. At least one pattern in + the list must match the image for the rule to apply. + Each image reference consists of a registry address + (defaults to docker.io), repository, image, and + tag (defaults to latest). Wildcards (''*'' and ''?'') + are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + items: + type: string + type: array + imageRegistryCredentials: + description: ImageRegistryCredentials provides credentials + that will be used for authentication with registry + properties: + allowInsecureRegistry: + description: AllowInsecureRegistry allows insecure + access to a registry + type: boolean + providers: + description: 'Providers specifies a list of OCI + Registry names, whose authentication providers + are provided It can be of one of these values: + AWS, ACR, GCP, GHCR' + items: + description: ImageRegistryCredentialsProvidersType + provides the list of credential providers + required. + enum: + - default + - amazon + - azure + - google + - github + type: string + type: array + secrets: + description: Secrets specifies a list of secrets + that are provided for credentials Secrets must + live in the Kyverno namespace + items: + type: string + type: array + type: object + issuer: + description: Deprecated. Use KeylessAttestor instead. + type: string + key: + description: Deprecated. Use StaticKeyAttestor instead. + type: string + mutateDigest: + default: true + description: MutateDigest enables replacement of image + tags with digests. Defaults to true. + type: boolean + repository: + description: Repository is an optional alternate OCI + repository to use for image signatures and attestations + that match this rule. If specified Repository will + override the default OCI image repository configured + for the installation. The repository can also be + overridden per Attestor or Attestation. + type: string + required: + default: true + description: Required validates that images are verified + i.e. have matched passed a signature or attestation + check. + type: boolean + roots: + description: Deprecated. Use KeylessAttestor instead. + type: string + subject: + description: Deprecated. Use KeylessAttestor instead. + type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string + useCache: + default: true + description: UseCache enables caching of image verify + responses for this rule + type: boolean + verifyDigest: + default: true + description: VerifyDigest validates that images have + a digest. + type: boolean + type: object + type: array + required: + - name + type: object + type: array + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + ready: + description: Deprecated in favor of Conditions + type: boolean + rulecount: + description: RuleCountStatus contains four variables which describes + counts for validate, generate, mutate and verify images rules + properties: + generate: + description: Count for generate rules in policy + type: integer + mutate: + description: Count for mutate rules in policy + type: integer + validate: + description: Count for validate rules in policy + type: integer + verifyimages: + description: Count for verify image rules in policy + type: integer + required: + - generate + - mutate + - validate + - verifyimages + type: object + validatingadmissionpolicy: + description: ValidatingAdmissionPolicy contains status information + properties: + generated: + description: Generated indicates whether a validating admission + policy is generated from the policy or not + type: boolean + message: + description: Message is a human readable message indicating details + about the generation of validating admission policy It is an + empty string when validating admission policy is successfully + generated. + type: string + required: + - generated + - message + type: object + required: + - ready + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} diff --git a/cmd/cli/kubectl-kyverno/data/data.go b/cmd/cli/kubectl-kyverno/data/data.go new file mode 100644 index 0000000000..f7fa123fc6 --- /dev/null +++ b/cmd/cli/kubectl-kyverno/data/data.go @@ -0,0 +1,15 @@ +package data + +import ( + "embed" + "io/fs" +) + +const CrdsFolder = "crds" + +//go:embed crds +var crdsFs embed.FS + +func Crds() fs.FS { + return crdsFs +} diff --git a/cmd/cli/kubectl-kyverno/experimental/experimental.go b/cmd/cli/kubectl-kyverno/experimental/experimental.go index 7f8618a49e..23e55af291 100644 --- a/cmd/cli/kubectl-kyverno/experimental/experimental.go +++ b/cmd/cli/kubectl-kyverno/experimental/experimental.go @@ -5,11 +5,22 @@ import ( "strconv" ) -const experimentalEnv = "KYVERNO_EXPERIMENTAL" +const ( + ExperimentalEnv = "KYVERNO_EXPERIMENTAL" + KubectlValidateEnv = "KYVERNO_KUBECTL_VALIDATE" +) -func IsEnabled() bool { - if b, err := strconv.ParseBool(os.Getenv(experimentalEnv)); err == nil { +func getBool(env string) bool { + if b, err := strconv.ParseBool(os.Getenv(env)); err == nil { return b } return false } + +func IsEnabled() bool { + return getBool(ExperimentalEnv) +} + +func UseKubectlValidate() bool { + return getBool(KubectlValidateEnv) +} diff --git a/cmd/cli/kubectl-kyverno/experimental/experimental_test.go b/cmd/cli/kubectl-kyverno/experimental/experimental_test.go index 7beaea0b1d..448abef2c9 100644 --- a/cmd/cli/kubectl-kyverno/experimental/experimental_test.go +++ b/cmd/cli/kubectl-kyverno/experimental/experimental_test.go @@ -11,28 +11,28 @@ func TestIsEnabled(t *testing.T) { { name: "enabled", env: map[string]string{ - experimentalEnv: "true", + ExperimentalEnv: "true", }, want: true, }, { name: "enabled", env: map[string]string{ - experimentalEnv: "1", + ExperimentalEnv: "1", }, want: true, }, { name: "enabled", env: map[string]string{ - experimentalEnv: "t", + ExperimentalEnv: "t", }, want: true, }, { name: "disabled", env: map[string]string{ - experimentalEnv: "false", + ExperimentalEnv: "false", }, want: false, }, @@ -44,7 +44,7 @@ func TestIsEnabled(t *testing.T) { { name: "bad format", env: map[string]string{ - experimentalEnv: "maybe", + ExperimentalEnv: "maybe", }, want: false, }, diff --git a/cmd/cli/kubectl-kyverno/policy/load.go b/cmd/cli/kubectl-kyverno/policy/load.go index 0a3f34e6f8..f9ecb9d989 100644 --- a/cmd/cli/kubectl-kyverno/policy/load.go +++ b/cmd/cli/kubectl-kyverno/policy/load.go @@ -11,12 +11,94 @@ import ( "github.com/go-git/go-billy/v5" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data" + "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/experimental" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/source" "github.com/kyverno/kyverno/pkg/utils/git" yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml" "k8s.io/api/admissionregistration/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/yaml" + "sigs.k8s.io/kubectl-validate/pkg/openapiclient" + "sigs.k8s.io/kubectl-validate/pkg/validatorfactory" ) +var ( + factory, _ = validatorfactory.New(client) + policyV1 = schema.GroupVersion(kyvernov1.GroupVersion).WithKind("Policy") + policyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("Policy") + clusterPolicyV1 = schema.GroupVersion(kyvernov1.GroupVersion).WithKind("ClusterPolicy") + clusterPolicyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("ClusterPolicy") + vapV1 = v1alpha1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy") + client = openapiclient.NewComposite( + openapiclient.NewHardcodedBuiltins("1.27"), + openapiclient.NewLocalCRDFiles(data.Crds(), data.CrdsFolder), + ) +) + +func getPolicies(bytes []byte) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) { + if !experimental.UseKubectlValidate() { + return yamlutils.GetPolicy(bytes) + } + var policies []kyvernov1.PolicyInterface + var validatingAdmissionPolicies []v1alpha1.ValidatingAdmissionPolicy + documents, err := yamlutils.SplitDocuments(bytes) + if err != nil { + return nil, nil, err + } + for _, document := range documents { + var metadata metav1.TypeMeta + if err := yaml.Unmarshal(document, &metadata); err != nil { + return nil, nil, err + } + gvk := metadata.GetObjectKind().GroupVersionKind() + validator, err := factory.ValidatorsForGVK(gvk) + if err != nil { + return nil, nil, err + } + decoder, err := validator.Decoder(gvk) + if err != nil { + return nil, nil, err + } + info, ok := runtime.SerializerInfoForMediaType(decoder.SupportedMediaTypes(), runtime.ContentTypeYAML) + if !ok { + return nil, nil, fmt.Errorf("failed to get serializer info for %s", gvk) + } + var untyped unstructured.Unstructured + _, _, err = decoder.DecoderToVersion(info.StrictSerializer, gvk.GroupVersion()).Decode(document, &gvk, &untyped) + if err != nil { + return nil, nil, err + } + switch gvk { + case policyV1, policyV2: + var policy kyvernov1.Policy + if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(untyped.UnstructuredContent(), &policy, true); err != nil { + return nil, nil, err + } + policies = append(policies, &policy) + case clusterPolicyV1, clusterPolicyV2: + var policy kyvernov1.ClusterPolicy + if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(untyped.UnstructuredContent(), &policy, true); err != nil { + return nil, nil, err + } + policies = append(policies, &policy) + case vapV1: + var policy v1alpha1.ValidatingAdmissionPolicy + if err := runtime.DefaultUnstructuredConverter.FromUnstructuredWithValidation(untyped.UnstructuredContent(), &policy, true); err != nil { + return nil, nil, err + } + validatingAdmissionPolicies = append(validatingAdmissionPolicies, policy) + default: + return nil, nil, fmt.Errorf("policy type not supported %s", gvk) + } + } + return policies, validatingAdmissionPolicies, nil +} + func Load(fs billy.Filesystem, resourcePath string, paths ...string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) { var pols []kyvernov1.PolicyInterface var vaps []v1alpha1.ValidatingAdmissionPolicy @@ -79,7 +161,7 @@ func fsLoad(path string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmi if err != nil { return nil, nil, err } - p, v, err := yamlutils.GetPolicy(fileBytes) + p, v, err := getPolicies(fileBytes) if err != nil { return nil, nil, err } @@ -107,7 +189,7 @@ func httpLoad(path string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAd if err != nil { return nil, nil, fmt.Errorf("failed to process %v: %v", path, err) } - return yamlutils.GetPolicy(fileBytes) + return getPolicies(fileBytes) } func gitLoad(fs billy.Filesystem, path string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) { @@ -119,7 +201,7 @@ func gitLoad(fs billy.Filesystem, path string) ([]kyvernov1.PolicyInterface, []v if err != nil { return nil, nil, err } - return yamlutils.GetPolicy(fileBytes) + return getPolicies(fileBytes) } func stdinLoad() ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) { @@ -128,5 +210,5 @@ func stdinLoad() ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPol for scanner.Scan() { policyStr = policyStr + scanner.Text() + "\n" } - return yamlutils.GetPolicy([]byte(policyStr)) + return getPolicies([]byte(policyStr)) } diff --git a/cmd/cli/kubectl-kyverno/policy/load_test.go b/cmd/cli/kubectl-kyverno/policy/load_test.go index 33a6af2f8a..a5893e6348 100644 --- a/cmd/cli/kubectl-kyverno/policy/load_test.go +++ b/cmd/cli/kubectl-kyverno/policy/load_test.go @@ -4,6 +4,10 @@ import ( "testing" "github.com/go-git/go-billy/v5" + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/experimental" + "github.com/stretchr/testify/assert" + "k8s.io/api/admissionregistration/v1alpha1" ) func TestLoad(t *testing.T) { @@ -36,3 +40,63 @@ func TestLoad(t *testing.T) { }) } } + +func TestLoadWithKubectlValidate(t *testing.T) { + tests := []struct { + name string + fs billy.Filesystem + resourcePath string + paths []string + wantErr bool + checks func(*testing.T, []kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy) + }{{ + name: "cpol-limit-configmap-for-sa", + fs: nil, + resourcePath: "", + paths: []string{"../_testdata/policies/cpol-limit-configmap-for-sa.yaml"}, + wantErr: false, + }, { + name: "invalid-schema", + fs: nil, + resourcePath: "", + paths: []string{"../_testdata/policies/invalid-schema.yaml"}, + wantErr: true, + }, { + name: "proper defaulting", + fs: nil, + resourcePath: "", + paths: []string{"../_testdata/policies/check-image.yaml"}, + wantErr: false, + checks: func(t *testing.T, policies []kyvernov1.PolicyInterface, vaps []v1alpha1.ValidatingAdmissionPolicy) { + assert.Len(t, policies, 1) + policy := policies[0] + assert.NotNil(t, policy) + spec := policy.GetSpec() + assert.NotNil(t, spec) + assert.True(t, spec.ValidationFailureAction.Audit()) + assert.NotNil(t, spec.Background) + assert.True(t, *spec.Background) + assert.NotNil(t, spec.Admission) + assert.True(t, *spec.Admission) + rule := spec.Rules[0] + assert.Len(t, rule.VerifyImages, 1) + assert.True(t, rule.VerifyImages[0].Required) + assert.True(t, rule.VerifyImages[0].MutateDigest) + assert.True(t, rule.VerifyImages[0].VerifyDigest) + assert.True(t, rule.VerifyImages[0].UseCache) + }, + }} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + t.Setenv(experimental.KubectlValidateEnv, "true") + policies, vaps, err := Load(tt.fs, tt.resourcePath, tt.paths...) + if (err != nil) != tt.wantErr { + t.Errorf("Load() error = %v, wantErr %v", err, tt.wantErr) + return + } + if tt.checks != nil { + tt.checks(t, policies, vaps) + } + }) + } +} diff --git a/go.mod b/go.mod index 574c814bfb..d9b9070d94 100644 --- a/go.mod +++ b/go.mod @@ -51,9 +51,9 @@ require ( github.com/spf13/cobra v1.7.0 github.com/stretchr/testify v1.8.4 github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.43.0 + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 go.opentelemetry.io/otel v1.18.0 - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.40.0 + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.18.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.18.0 go.opentelemetry.io/otel/exporters/prometheus v0.41.0 @@ -85,6 +85,7 @@ require ( k8s.io/pod-security-admission v0.28.1 k8s.io/utils v0.0.0-20230726121419-3b25d923346b sigs.k8s.io/controller-runtime v0.16.1 + sigs.k8s.io/kubectl-validate v0.0.0-20230914023412-34b6c093162c sigs.k8s.io/kustomize/api v0.14.0 sigs.k8s.io/kustomize/kyaml v0.14.3 sigs.k8s.io/release-utils v0.7.4 @@ -127,6 +128,7 @@ require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect @@ -174,6 +176,8 @@ require ( github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect github.com/coreos/go-oidc/v3 v3.6.0 // indirect + github.com/coreos/go-semver v0.3.1 // indirect + github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20230710064741-aa7fe85c7dbd // indirect github.com/davecgh/go-spew v1.1.1 // indirect @@ -242,7 +246,8 @@ require ( github.com/googleapis/gax-go/v2 v2.12.0 // indirect github.com/gorilla/mux v1.8.0 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.17.1 // indirect + github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect @@ -358,9 +363,13 @@ require ( github.com/xlab/treeprint v1.2.0 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect github.com/zeebo/errs v1.3.0 // indirect + go.etcd.io/etcd/api/v3 v3.5.9 // indirect + go.etcd.io/etcd/client/pkg/v3 v3.5.9 // indirect + go.etcd.io/etcd/client/v3 v3.5.9 // indirect go.mongodb.org/mongo-driver v1.12.1 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.40.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.44.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0 // indirect go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.starlark.net v0.0.0-20230814145427-12f4cb8177e4 // indirect go.step.sm/crypto v0.35.0 // indirect @@ -369,7 +378,7 @@ require ( go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect golang.org/x/mod v0.12.0 // indirect golang.org/x/net v0.15.0 // indirect - golang.org/x/oauth2 v0.11.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sync v0.3.0 // indirect golang.org/x/sys v0.12.0 // indirect golang.org/x/term v0.12.0 // indirect @@ -377,8 +386,8 @@ require ( golang.org/x/tools v0.12.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/api v0.138.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto v0.0.0-20230911183012-2d3300fd4832 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.31.0 // indirect @@ -392,5 +401,8 @@ require ( k8s.io/component-base v0.28.2 // indirect k8s.io/kubectl v0.28.1 // indirect oras.land/oras-go/v2 v2.2.1 // indirect + sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.4 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect ) + +replace sigs.k8s.io/kubectl-validate => github.com/eddycharly/kubectl-validate v0.0.0-20230914071638-b53689140439 diff --git a/go.sum b/go.sum index 46ad69856b..b7c01c2474 100644 --- a/go.sum +++ b/go.sum @@ -149,6 +149,8 @@ github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/OneOfOne/xxhash v1.2.7/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= @@ -340,6 +342,7 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= github.com/cockroachdb/apd/v3 v3.2.0 h1:79kHCn4tO0VGu3W0WujYrMjBDk8a2H4KEUYcXf7whcg= github.com/cockroachdb/apd/v3 v3.2.0/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= @@ -358,9 +361,13 @@ github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= @@ -426,6 +433,8 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= github.com/ebitengine/purego v0.5.0-alpha.1 h1:0gVgWGb8GjKYs7cufvfNSleJAD00m2xWC26FMwOjNrw= github.com/ebitengine/purego v0.5.0-alpha.1/go.mod h1:ah1In8AOtksoNK6yk5z1HTJeUkC1Ez4Wk2idgGslMwQ= +github.com/eddycharly/kubectl-validate v0.0.0-20230914071638-b53689140439 h1:QfcLiMLx+JqCB2lmHsMgYHnq5ncl+JBsrAtgACC0tzU= +github.com/eddycharly/kubectl-validate v0.0.0-20230914071638-b53689140439/go.mod h1:PJu2X5+3w1ySf5gtRjV3atoQ/BfsTj5yr6SqE6iBA1E= github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0= @@ -446,6 +455,7 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= github.com/esimonov/ifshort v1.0.2/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE= github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY= github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= @@ -637,6 +647,7 @@ github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= +github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= @@ -801,6 +812,7 @@ github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB7 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= github.com/gostaticanalysis/analysisutil v0.0.3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE= github.com/gostaticanalysis/analysisutil v0.1.0/go.mod h1:dMhHRU9KTiDcuLGdy87/2gTR8WruwYZrKdRq9m1O6uw= @@ -815,13 +827,17 @@ github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:Fecb github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-middleware v1.2.2/go.mod h1:EaizFBKfUKtMIF5iaDEhniwNedqGo9FuLFzppDr3uwI= +github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99 h1:JYghRBlGCZyCF2wNUJ8W0cwaQdtpcssJ4CgC406g+WU= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.1-0.20210315223345-82c243799c99/go.mod h1:3bDW6wMZJB7tiONtC/1Xpicra6Wp5GgbTbQWCbI5fkc= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.17.1 h1:LSsiG61v9IzzxMkqEr6nrix4miJI62xlRjwT7BYD2SM= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.17.1/go.mod h1:Hbb13e3/WtqQ8U5hLGkek9gJvBLasHuPFI0UEGfnQ10= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 h1:RtRsiaGvWxcwd8y3BiRZxsylPT8hLWZ5SPcfI+3IDNk= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0/go.mod h1:TzP6duP4Py2pHLVPPQp42aoYI92+PCrVotyR5e8Vqlk= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE= github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= @@ -916,6 +932,7 @@ github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhB github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.0/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/jonboulle/clockwork v0.3.0 h1:9BSCMi8C+0qdApAp4auwX0RkLGUjs956h0EkuQymUhg= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= @@ -1237,6 +1254,7 @@ github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prY github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= github.com/prometheus/client_golang v0.0.0-20181025174421-f30f42803563/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= @@ -1257,6 +1275,7 @@ github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUo github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= github.com/prometheus/common v0.0.0-20181020173914-7e9e6cabbd39/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= @@ -1271,6 +1290,7 @@ github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= @@ -1395,6 +1415,7 @@ github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYl github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js= github.com/sonatard/noctx v0.0.1/go.mod h1:9D2D/EoULe8Yy2joDHJj7bv3sZoq9AaSb8B4lqBjiZI= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs= @@ -1488,6 +1509,7 @@ github.com/tklauser/numcpus v0.2.1/go.mod h1:9aU+wOc6WjUIZEwWMP62PL/41d65P+iks1g github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 h1:6fotK7otjonDflCTK0BCfls4SPy3NcCVb5dqqmbRknE= github.com/tomarrell/wrapcheck/v2 v2.1.0/go.mod h1:crK5eI4RGSUrb9duDTQ5GqcukbKZvi85vX6nbhsBAeI= github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4= github.com/tommy-muehle/go-mnd/v2 v2.3.2/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw= @@ -1525,6 +1547,7 @@ github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMc github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 h1:eY9dn8+vbi4tKz5Qo6v2eYzo7kUS51QINcR5jNpbZS8= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= @@ -1558,9 +1581,21 @@ go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= +go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k= +go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489 h1:1JFLBqwIgdyHN1ZtgjTBwO+blA6gVOmZurpiMEsETKo= go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg= +go.etcd.io/etcd/api/v3 v3.5.9 h1:4wSsluwyTbGGmyjJktOf3wFQoTBIURXHnq9n/G/JQHs= +go.etcd.io/etcd/api/v3 v3.5.9/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k= +go.etcd.io/etcd/client/pkg/v3 v3.5.9 h1:oidDC4+YEuSIQbsR94rY9gur91UPL6DnxDCIYd2IGsE= +go.etcd.io/etcd/client/pkg/v3 v3.5.9/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4= +go.etcd.io/etcd/client/v2 v2.305.9 h1:YZ2OLi0OvR0H75AcgSUajjd5uqKDKocQUqROTG11jIo= +go.etcd.io/etcd/client/v3 v3.5.9 h1:r5xghnU7CwbUxD/fbUtRyJGaYNfDun8sp/gTr1hew6E= +go.etcd.io/etcd/client/v3 v3.5.9/go.mod h1:i/Eo5LrZ5IKqpbtpPDuaUnDOUv471oDg8cjQaUr2MbA= +go.etcd.io/etcd/pkg/v3 v3.5.9 h1:6R2jg/aWd/zB9+9JxmijDKStGJAPFsX3e6BeJkMi6eQ= +go.etcd.io/etcd/raft/v3 v3.5.9 h1:ZZ1GIHoUlHsn0QVqiRysAm3/81Xx7+i2d7nSdWxlOiI= +go.etcd.io/etcd/server/v3 v3.5.9 h1:vomEmmxeztLtS5OEH7d0hBAg4cjVIu9wXuNzUZx2ZA0= go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= @@ -1578,14 +1613,16 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.43.0 h1:HKORGpiOY0R0nAPtKx/ub8/7XoHhRooP8yNRkuPfelI= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.43.0/go.mod h1:e+y1M74SYXo/FcIx3UATwth2+5dDkM8dBi7eXg1tbw8= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.44.0 h1:b8xjZxHbLrXAum4SxJd1Rlm7Y/fKaB+6ACI7/e5EfSA= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.44.0/go.mod h1:1ei0a32xOGkFoySu7y1DAHfcuIhC0pNZpvY2huXuMy4= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0 h1:KfYpVmrjI7JuToy5k8XV3nkapjWx48k4E4JOtVstzQI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0/go.mod h1:SeQhzAEccGVZVEy7aH87Nh0km+utSpo1pTv6eMMop48= go.opentelemetry.io/otel v1.18.0 h1:TgVozPGZ01nHyDZxK5WGPFB9QexeTMXEH7+tIClWfzs= go.opentelemetry.io/otel v1.18.0/go.mod h1:9lWqYO0Db579XzVuCKFNPDl4s73Voa+zEck3wHaAYQI= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.40.0 h1:MZbjiZeMmn5wFMORhozpouGKDxj9POHTuU5UA8msBQk= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.40.0/go.mod h1:C7tOYVCJmrDTCwxNny0MuUtnDIR3032vFHYke0F2ZrU= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.40.0 h1:q3FNPi8FLQVjLlmV+WWHQfH9ZCCtQIS0O/+dn1+4cJ4= -go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.40.0/go.mod h1:rmx4n0uSIAkKBeQYkygcv9dENAlL2/tv3OSq68h1JAo= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0 h1:k0k7hFNDd8K4iOMJXj7s8sHaC4mhTlAeppRmZXLgZ6k= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric v0.41.0/go.mod h1:hG4Fj/y8TR/tlEDREo8tWstl9fO9gcFkn4xrx0Io8xU= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0 h1:HgbDTD8pioFdY3NRc/YCvsWjqQPtweGyXxa32LgnTOw= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.41.0/go.mod h1:tmvt/yK5Es5d6lHYWerLSOna8lCEfrBVX/a9M0ggqss= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.18.0 h1:IAtl+7gua134xcV3NieDhJHjjOVeJhXAnYf/0hswjUY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.18.0/go.mod h1:w+pXobnBzh95MNIkeIuAKcHe/Uu/CX2PKIvBP6ipKRA= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.18.0 h1:yE32ay7mJG2leczfREEhoW3VfSZIvHaB+gvVo1o8DQ8= @@ -1799,8 +1836,8 @@ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= -golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -2107,8 +2144,9 @@ google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= @@ -2155,14 +2193,15 @@ google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= -google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= +google.golang.org/genproto v0.0.0-20230911183012-2d3300fd4832 h1:/30npZKtUjXqju7ZA2MsvpkGKD4mQFtf+zPnZasABjg= +google.golang.org/genproto v0.0.0-20230911183012-2d3300fd4832/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= +google.golang.org/grpc v1.18.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -2229,6 +2268,7 @@ gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= @@ -2305,6 +2345,7 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kms v0.28.2 h1:KhG63LHopCdzs1oKA1j+NWleuIXudgOyCqJo4yi3GaM= k8s.io/kube-aggregator v0.28.1 h1:rvG4llYnQKHjj6YjjoBPEJxfD1uH0DJwkrJTNKGAaCs= k8s.io/kube-aggregator v0.28.1/go.mod h1:JaLizMe+AECSpO2OmrWVsvnG0V3dX1RpW+Wq/QHbu18= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= @@ -2329,7 +2370,8 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg= -sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 h1:trsWhjU5jZrx6UvFu4WzQDrN7Pga4a7Qg+zcfcj64PA= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.4 h1:1RSHUg/47zxbcYkN4r+zMS8ZObRFpyDDBkcmWjTD5vM= +sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.4/go.mod h1:e7I0gvW7fYKOqZDDsvaETBEyfM4dXh6DQ/SsqNInVC0= sigs.k8s.io/controller-runtime v0.8.2/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= sigs.k8s.io/controller-runtime v0.8.3/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU= sigs.k8s.io/controller-runtime v0.16.1 h1:+15lzrmHsE0s2kNl0Dl8cTchI5Cs8qofo5PGcPrV9z0= diff --git a/test/cli/test/images/digest/policies.yaml b/test/cli/test/images/digest/policies.yaml index b5bb8bccc5..d2c1786e5a 100644 --- a/test/cli/test/images/digest/policies.yaml +++ b/test/cli/test/images/digest/policies.yaml @@ -18,4 +18,3 @@ spec: required: false verifyDigest: true mutateDigest: false -