diff --git a/api/kyverno/v2/cleanup_policy_test.go b/api/kyverno/v2/cleanup_policy_test.go
new file mode 100644
index 0000000000..f9d03560f0
--- /dev/null
+++ b/api/kyverno/v2/cleanup_policy_test.go
@@ -0,0 +1,712 @@
+package v2
+
+import (
+ "encoding/json"
+ "fmt"
+ "testing"
+
+ "gotest.tools/assert"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_CleanupPolicy_Name(t *testing.T) {
+ subject := CleanupPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+ },
+ Spec: CleanupPolicySpec{
+ Schedule: "* * * * *",
+ },
+ }
+ errs := subject.Validate(nil)
+ assert.Assert(t, len(errs) == 1)
+ assert.Equal(t, errs[0].Field, "metadata.name")
+ assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+ assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+ assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_CleanupPolicy_Schedule(t *testing.T) {
+ subject := CleanupPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "test-policy",
+ },
+ Spec: CleanupPolicySpec{
+ Schedule: "schedule-not-in-proper-cron-format",
+ },
+ }
+ errs := subject.Validate(nil)
+ assert.Assert(t, len(errs) == 1)
+ assert.Equal(t, errs[0].Field, "spec.schedule")
+ assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+ assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+ assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_ClusterCleanupPolicy_Name(t *testing.T) {
+ subject := ClusterCleanupPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+ },
+ Spec: CleanupPolicySpec{
+ Schedule: "* * * * *",
+ },
+ }
+ errs := subject.Validate(nil)
+ assert.Assert(t, len(errs) == 1)
+ assert.Equal(t, errs[0].Field, "metadata.name")
+ assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+ assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+ assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {
+ subject := ClusterCleanupPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "test-policy",
+ },
+ Spec: CleanupPolicySpec{
+ Schedule: "schedule-not-in-proper-cron-format",
+ },
+ }
+ errs := subject.Validate(nil)
+ assert.Assert(t, len(errs) == 1)
+ assert.Equal(t, errs[0].Field, "spec.schedule")
+ assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+ assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+ assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_doesMatchExcludeConflict_cleanupPolicy(t *testing.T) {
+ path := field.NewPath("dummy")
+ testcases := []struct {
+ description string
+ policySpec []byte
+ errors func(r *CleanupPolicySpec) field.ErrorList
+ }{
+ {
+ description: "Same match and exclude",
+ policySpec: []byte(`
+{
+ "match": {
+ "any": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "any": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
+ return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
+ },
+ },
+ {
+ description: "Failed to exclude kind",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude name",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something-*",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude namespace",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something3",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude labels",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "higha"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude expression",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "databases"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude subjects",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude clusterroles",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "Failed to exclude roles",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "exclude": {
+ "all": [{
+ "resources": {
+ "kinds": [
+ "Pod",
+ "Namespace"
+ ],
+ "name": "something",
+ "namespaces": [
+ "something",
+ "something1"
+ ],
+ "selector": {
+ "matchLabels": {
+ "memory": "high"
+ },
+ "matchExpressions": [
+ {
+ "key": "tier",
+ "operator": "In",
+ "values": [
+ "database"
+ ]
+ }
+ ]
+ }
+ }
+ }]
+ },
+ "schedule": "* * * * *"
+}`),
+ },
+ {
+ description: "empty case",
+ policySpec: []byte(`
+{
+ "match": {
+ "all": [{
+ "resources": {
+ "selector": {
+ "matchLabels": {
+ "allow-deletes": "false"
+ }
+ }
+ }
+ }]
+ },
+ "exclude": {},
+ "schedule": "* * * * *"
+}`),
+ },
+ }
+ for _, testcase := range testcases {
+ t.Run(testcase.description, func(t *testing.T) {
+ var policySpec CleanupPolicySpec
+ err := json.Unmarshal(testcase.policySpec, &policySpec)
+ assert.NilError(t, err)
+ errs := policySpec.ValidateMatchExcludeConflict(path)
+ var expectedErrs field.ErrorList
+ if testcase.errors != nil {
+ expectedErrs = testcase.errors(&policySpec)
+ }
+ assert.Equal(t, len(errs), len(expectedErrs))
+ for i := range errs {
+ fmt.Println(i)
+ assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
+ }
+ })
+ }
+}
diff --git a/api/kyverno/v2/cleanup_policy_types.go b/api/kyverno/v2/cleanup_policy_types.go
new file mode 100644
index 0000000000..fcb32e272d
--- /dev/null
+++ b/api/kyverno/v2/cleanup_policy_types.go
@@ -0,0 +1,293 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+ "time"
+
+ "github.com/aptible/supercronic/cronexpr"
+ kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ datautils "github.com/kyverno/kyverno/pkg/utils/data"
+ "github.com/robfig/cron"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/util/sets"
+ "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=cleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// CleanupPolicy defines a rule for resource cleanup.
+type CleanupPolicy struct {
+ metav1.TypeMeta `json:",inline,omitempty"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Spec declares policy behaviors.
+ Spec CleanupPolicySpec `json:"spec"`
+
+ // Status contains policy runtime data.
+ // +optional
+ Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec {
+ return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus {
+ return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error) {
+ lastExecutionTime := p.Status.LastExecutionTime.Time
+ if lastExecutionTime.IsZero() {
+ creationTime := p.GetCreationTimestamp().Time
+ return p.GetNextExecutionTime(creationTime)
+ } else {
+ return p.GetNextExecutionTime(lastExecutionTime)
+ }
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+ cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+ if err != nil {
+ return nil, err
+ }
+ nextExecutionTime := cronExpr.Next(time)
+ return &nextExecutionTime, nil
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+ errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+ errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, true)...)
+ return errs
+}
+
+// GetKind returns the resource kind
+func (p *CleanupPolicy) GetKind() string {
+ return "CleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *CleanupPolicy) GetAPIVersion() string {
+ return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *CleanupPolicy) IsNamespaced() bool {
+ return true
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CleanupPolicyList is a list of ClusterPolicy instances.
+type CleanupPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+ Items []CleanupPolicy `json:"items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName=ccleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+
+// ClusterCleanupPolicy defines rule for resource cleanup.
+type ClusterCleanupPolicy struct {
+ metav1.TypeMeta `json:",inline,omitempty"`
+ metav1.ObjectMeta `json:"metadata,omitempty"`
+
+ // Spec declares policy behaviors.
+ Spec CleanupPolicySpec `json:"spec"`
+
+ // Status contains policy runtime data.
+ // +optional
+ Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec {
+ return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus {
+ return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error) {
+ lastExecutionTime := p.Status.LastExecutionTime.Time
+ if lastExecutionTime.IsZero() {
+ creationTime := p.GetCreationTimestamp().Time
+ return p.GetNextExecutionTime(creationTime)
+ } else {
+ return p.GetNextExecutionTime(lastExecutionTime)
+ }
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+ cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+ if err != nil {
+ return nil, err
+ }
+ nextExecutionTime := cronExpr.Next(time)
+ return &nextExecutionTime, nil
+}
+
+// GetKind returns the resource kind
+func (p *ClusterCleanupPolicy) GetKind() string {
+ return "ClusterCleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *ClusterCleanupPolicy) GetAPIVersion() string {
+ return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *ClusterCleanupPolicy) IsNamespaced() bool {
+ return false
+}
+
+// Validate implements programmatic validation
+func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+ errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+ errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, false)...)
+ return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
+type ClusterCleanupPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ metav1.ListMeta `json:"metadata"`
+ Items []ClusterCleanupPolicy `json:"items"`
+}
+
+// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+// and schedule when the matching resources needs deleted.
+type CleanupPolicySpec struct {
+ // Context defines variables and data sources that can be used during rule execution.
+ // +optional
+ Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
+
+ // MatchResources defines when cleanuppolicy should be applied. The match
+ // criteria can include resource information (e.g. kind, name, namespace, labels)
+ // and admission review request information like the user name or role.
+ // At least one kind is required.
+ MatchResources MatchResources `json:"match,omitempty"`
+
+ // ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+ // criteria can include resource information (e.g. kind, name, namespace, labels)
+ // and admission review request information like the name or role.
+ // +optional
+ ExcludeResources *MatchResources `json:"exclude,omitempty"`
+
+ // The schedule in Cron format
+ Schedule string `json:"schedule"`
+
+ // Conditions defines the conditions used to select the resources which will be cleaned up.
+ // +optional
+ Conditions *AnyAllConditions `json:"conditions,omitempty"`
+}
+
+// CleanupPolicyStatus stores the status of the policy.
+type CleanupPolicyStatus struct {
+ Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+ LastExecutionTime metav1.Time `json:"lastExecutionTime,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
+ // Write context validation code here by following other validations.
+ errs = append(errs, ValidateContext(path.Child("context"), p.Context)...)
+ errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
+ if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
+ errs = append(errs, userInfoErrs...)
+ } else {
+ errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
+ }
+ if p.ExcludeResources != nil {
+ if userInfoErrs := p.ExcludeResources.ValidateNoUserInfo(path.Child("exclude")); len(userInfoErrs) != 0 {
+ errs = append(errs, userInfoErrs...)
+ } else {
+ errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
+ }
+ }
+ errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
+ return errs
+}
+
+func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) {
+ for _, entry := range context {
+ if entry.ImageRegistry != nil {
+ errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy"))
+ } else if entry.ConfigMap != nil {
+ errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy"))
+ }
+ }
+ return errs
+}
+
+// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
+func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
+ if _, err := cron.ParseStandard(schedule); err != nil {
+ errs = append(errs, field.Invalid(path, schedule, "schedule spec in the cleanupPolicy is not in proper cron format"))
+ }
+ return errs
+}
+
+// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
+func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) {
+ if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
+ return errs
+ }
+ // if both have any then no resource should be common
+ if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 {
+ for _, rmr := range spec.MatchResources.Any {
+ for _, rer := range spec.ExcludeResources.Any {
+ if datautils.DeepEqual(rmr, rer) {
+ return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+ }
+ }
+ }
+ return errs
+ }
+ if datautils.DeepEqual(spec.ExcludeResources, &MatchResources{}) {
+ return errs
+ }
+ return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+}
diff --git a/api/kyverno/v2/condition.go b/api/kyverno/v2/condition.go
new file mode 100644
index 0000000000..058329332c
--- /dev/null
+++ b/api/kyverno/v2/condition.go
@@ -0,0 +1,94 @@
+package v2
+
+import (
+ kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+ apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// ConditionOperator is the operation performed on condition key and value.
+// +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan
+type ConditionOperator string
+
+// ConditionOperators stores all the valid ConditionOperator types as key-value pairs.
+// "Equals" evaluates if the key is equal to the value.
+// "NotEquals" evaluates if the key is not equal to the value.
+// "AnyIn" evaluates if any of the keys are contained in the set of values.
+// "AllIn" evaluates if all the keys are contained in the set of values.
+// "AnyNotIn" evaluates if any of the keys are not contained in the set of values.
+// "AllNotIn" evaluates if all the keys are not contained in the set of values.
+// "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric).
+// "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric).
+// "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric).
+// "LessThan" evaluates if the key (numeric) is less than the value (numeric).
+// "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration)
+// "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration)
+// "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration)
+// "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)
+var ConditionOperators = map[string]ConditionOperator{
+ "Equals": ConditionOperator("Equals"),
+ "NotEquals": ConditionOperator("NotEquals"),
+ "AnyIn": ConditionOperator("AnyIn"),
+ "AllIn": ConditionOperator("AllIn"),
+ "AnyNotIn": ConditionOperator("AnyNotIn"),
+ "AllNotIn": ConditionOperator("AllNotIn"),
+ "GreaterThanOrEquals": ConditionOperator("GreaterThanOrEquals"),
+ "GreaterThan": ConditionOperator("GreaterThan"),
+ "LessThanOrEquals": ConditionOperator("LessThanOrEquals"),
+ "LessThan": ConditionOperator("LessThan"),
+ "DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
+ "DurationGreaterThan": ConditionOperator("DurationGreaterThan"),
+ "DurationLessThanOrEquals": ConditionOperator("DurationLessThanOrEquals"),
+ "DurationLessThan": ConditionOperator("DurationLessThan"),
+}
+
+type Condition struct {
+ // Key is the context entry (using JMESPath) for conditional rule evaluation.
+ RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`
+
+ // Operator is the conditional operation to perform. Valid operators are:
+ // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+ // GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+ // DurationLessThanOrEquals, DurationLessThan
+ Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
+
+ // Value is the conditional value, or set of values. The values can be fixed set
+ // or can be variables declared using JMESPath.
+ // +optional
+ RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
+
+ // Message is an optional display message
+ Message string `json:"message,omitempty" yaml:"message,omitempty"`
+}
+
+func (c *Condition) GetKey() apiextensions.JSON {
+ return kyvernov1.FromJSON(c.RawKey)
+}
+
+func (c *Condition) SetKey(in apiextensions.JSON) {
+ c.RawKey = kyvernov1.ToJSON(in)
+}
+
+func (c *Condition) GetValue() apiextensions.JSON {
+ return kyvernov1.FromJSON(c.RawValue)
+}
+
+func (c *Condition) SetValue(in apiextensions.JSON) {
+ c.RawValue = kyvernov1.ToJSON(in)
+}
+
+type AnyAllConditions struct {
+ // AnyConditions enable variable-based conditional rule execution. This is useful for
+ // finer control of when an rule is applied. A condition can reference object data
+ // using JMESPath notation.
+ // Here, at least one of the conditions need to pass.
+ // +optional
+ AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
+
+ // AllConditions enable variable-based conditional rule execution. This is useful for
+ // finer control of when an rule is applied. A condition can reference object data
+ // using JMESPath notation.
+ // Here, all of the conditions need to pass.
+ // +optional
+ AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
+}
diff --git a/api/kyverno/v2/match_resources_test.go b/api/kyverno/v2/match_resources_test.go
new file mode 100644
index 0000000000..d7787d5ddb
--- /dev/null
+++ b/api/kyverno/v2/match_resources_test.go
@@ -0,0 +1,68 @@
+package v2
+
+import (
+ "testing"
+
+ kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ "gotest.tools/assert"
+ rbacv1 "k8s.io/api/rbac/v1"
+ "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_MatchResources(t *testing.T) {
+ testCases := []struct {
+ name string
+ namespaced bool
+ subject MatchResources
+ errors []string
+ }{{
+ name: "valid",
+ namespaced: true,
+ subject: MatchResources{
+ Any: kyvernov1.ResourceFilters{{
+ UserInfo: kyvernov1.UserInfo{
+ Subjects: []rbacv1.Subject{{
+ Kind: "ServiceAccount",
+ Namespace: "ns",
+ Name: "sa-1",
+ }},
+ },
+ }},
+ },
+ }, {
+ name: "any-all",
+ namespaced: true,
+ subject: MatchResources{
+ Any: kyvernov1.ResourceFilters{{
+ UserInfo: kyvernov1.UserInfo{
+ Subjects: []rbacv1.Subject{{
+ Kind: "ServiceAccount",
+ Namespace: "ns",
+ Name: "sa-1",
+ }},
+ },
+ }},
+ All: kyvernov1.ResourceFilters{{
+ UserInfo: kyvernov1.UserInfo{
+ Subjects: []rbacv1.Subject{{
+ Kind: "ServiceAccount",
+ Namespace: "ns",
+ Name: "sa-1",
+ }},
+ },
+ }},
+ },
+ errors: []string{
+ `dummy: Invalid value: v2.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}}: Can't specify any and all together`,
+ },
+ }}
+
+ path := field.NewPath("dummy")
+ for _, testCase := range testCases {
+ errs := testCase.subject.Validate(path, testCase.namespaced, nil)
+ assert.Equal(t, len(errs), len(testCase.errors))
+ for i, err := range errs {
+ assert.Equal(t, err.Error(), testCase.errors[i])
+ }
+ }
+}
diff --git a/api/kyverno/v2/match_resources_types.go b/api/kyverno/v2/match_resources_types.go
new file mode 100644
index 0000000000..0889b68286
--- /dev/null
+++ b/api/kyverno/v2/match_resources_types.go
@@ -0,0 +1,80 @@
+package v2
+
+import (
+ kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+ "k8s.io/apimachinery/pkg/util/sets"
+ "k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// MatchResources is used to specify resource and admission review request data for
+// which a policy rule is applicable.
+type MatchResources struct {
+ // Any allows specifying resources which will be ORed
+ // +optional
+ Any kyvernov1.ResourceFilters `json:"any,omitempty" yaml:"any,omitempty"`
+
+ // All allows specifying resources which will be ANDed
+ // +optional
+ All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
+}
+
+// GetKinds returns all kinds
+func (m *MatchResources) GetKinds() []string {
+ var kinds []string
+ for _, value := range m.All {
+ kinds = append(kinds, value.ResourceDescription.Kinds...)
+ }
+ for _, value := range m.Any {
+ kinds = append(kinds, value.ResourceDescription.Kinds...)
+ }
+ return kinds
+}
+
+// ValidateNoUserInfo verifies that no user info is used
+func (m *MatchResources) ValidateNoUserInfo(path *field.Path) (errs field.ErrorList) {
+ anyPath := path.Child("any")
+ for i, filter := range m.Any {
+ errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...)
+ }
+ allPath := path.Child("all")
+ for i, filter := range m.All {
+ errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...)
+ }
+ return errs
+}
+
+// ValidateResourceWithNoUserInfo implements programmatic validation and verifies that no user info is used
+func (m *MatchResources) ValidateResourceWithNoUserInfo(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+ if len(m.Any) > 0 && len(m.All) > 0 {
+ errs = append(errs, field.Invalid(path, m, "Can't specify any and all together"))
+ }
+ anyPath := path.Child("any")
+ for i, filter := range m.Any {
+ errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...)
+ errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...)
+ }
+ allPath := path.Child("all")
+ for i, filter := range m.All {
+ errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...)
+ errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...)
+ }
+ return errs
+}
+
+// Validate implements programmatic validation
+func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+ if len(m.Any) > 0 && len(m.All) > 0 {
+ errs = append(errs, field.Invalid(path, m, "Can't specify any and all together"))
+ }
+ anyPath := path.Child("any")
+ for i, filter := range m.Any {
+ errs = append(errs, filter.UserInfo.Validate(anyPath.Index(i))...)
+ errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...)
+ }
+ allPath := path.Child("all")
+ for i, filter := range m.All {
+ errs = append(errs, filter.UserInfo.Validate(allPath.Index(i))...)
+ errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...)
+ }
+ return errs
+}
diff --git a/api/kyverno/v2/zz_generated.deepcopy.go b/api/kyverno/v2/zz_generated.deepcopy.go
index 7986f7e785..c89c9695dc 100644
--- a/api/kyverno/v2/zz_generated.deepcopy.go
+++ b/api/kyverno/v2/zz_generated.deepcopy.go
@@ -22,8 +22,11 @@ limitations under the License.
package v2
import (
+ v1 "github.com/kyverno/kyverno/api/kyverno/v1"
v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
v1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+ apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -112,6 +115,36 @@ func (in *AdmissionReportSpec) DeepCopy() *AdmissionReportSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) {
+ *out = *in
+ if in.AnyConditions != nil {
+ in, out := &in.AnyConditions, &out.AnyConditions
+ *out = make([]Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.AllConditions != nil {
+ in, out := &in.AllConditions, &out.AllConditions
+ *out = make([]Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
+func (in *AnyAllConditions) DeepCopy() *AnyAllConditions {
+ if in == nil {
+ return nil
+ }
+ out := new(AnyAllConditions)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BackgroundScanReport) DeepCopyInto(out *BackgroundScanReport) {
*out = *in
@@ -196,6 +229,125 @@ func (in *BackgroundScanReportSpec) DeepCopy() *BackgroundScanReportSpec {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.
+func (in *CleanupPolicy) DeepCopy() *CleanupPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(CleanupPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]CleanupPolicy, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.
+func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(CleanupPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
+ *out = *in
+ if in.Context != nil {
+ in, out := &in.Context, &out.Context
+ *out = make([]v1.ContextEntry, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ in.MatchResources.DeepCopyInto(&out.MatchResources)
+ if in.ExcludeResources != nil {
+ in, out := &in.ExcludeResources, &out.ExcludeResources
+ *out = new(MatchResources)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = new(AnyAllConditions)
+ (*in).DeepCopyInto(*out)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.
+func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec {
+ if in == nil {
+ return nil
+ }
+ out := new(CleanupPolicySpec)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
+ *out = *in
+ if in.Conditions != nil {
+ in, out := &in.Conditions, &out.Conditions
+ *out = make([]metav1.Condition, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ in.LastExecutionTime.DeepCopyInto(&out.LastExecutionTime)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.
+func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus {
+ if in == nil {
+ return nil
+ }
+ out := new(CleanupPolicyStatus)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ClusterAdmissionReport) DeepCopyInto(out *ClusterAdmissionReport) {
*out = *in
@@ -316,6 +468,93 @@ func (in *ClusterBackgroundScanReportList) DeepCopyObject() runtime.Object {
return nil
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.
+func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(ClusterCleanupPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]ClusterCleanupPolicy, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.
+func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(ClusterCleanupPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+ *out = *in
+ if in.RawKey != nil {
+ in, out := &in.RawKey, &out.RawKey
+ *out = new(apiextensionsv1.JSON)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.RawValue != nil {
+ in, out := &in.RawValue, &out.RawValue
+ *out = new(apiextensionsv1.JSON)
+ (*in).DeepCopyInto(*out)
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
+func (in *Condition) DeepCopy() *Condition {
+ if in == nil {
+ return nil
+ }
+ out := new(Condition)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Exception) DeepCopyInto(out *Exception) {
*out = *in
@@ -337,6 +576,36 @@ func (in *Exception) DeepCopy() *Exception {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MatchResources) DeepCopyInto(out *MatchResources) {
+ *out = *in
+ if in.Any != nil {
+ in, out := &in.Any, &out.Any
+ *out = make(v1.ResourceFilters, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.All != nil {
+ in, out := &in.All, &out.All
+ *out = make(v1.ResourceFilters, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
+func (in *MatchResources) DeepCopy() *MatchResources {
+ if in == nil {
+ return nil
+ }
+ out := new(MatchResources)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyException) DeepCopyInto(out *PolicyException) {
*out = *in
diff --git a/api/kyverno/v2/zz_generated.register.go b/api/kyverno/v2/zz_generated.register.go
index 713c98d009..fb6801e1d3 100644
--- a/api/kyverno/v2/zz_generated.register.go
+++ b/api/kyverno/v2/zz_generated.register.go
@@ -62,10 +62,14 @@ func addKnownTypes(scheme *runtime.Scheme) error {
&AdmissionReportList{},
&BackgroundScanReport{},
&BackgroundScanReportList{},
+ &CleanupPolicy{},
+ &CleanupPolicyList{},
&ClusterAdmissionReport{},
&ClusterAdmissionReportList{},
&ClusterBackgroundScanReport{},
&ClusterBackgroundScanReportList{},
+ &ClusterCleanupPolicy{},
+ &ClusterCleanupPolicyList{},
&PolicyException{},
&PolicyExceptionList{},
)
diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml
index da1b3919e2..b152bf4b24 100644
--- a/charts/kyverno/charts/crds/templates/crds.yaml
+++ b/charts/kyverno/charts/crds/templates/crds.yaml
@@ -1247,6 +1247,1247 @@ spec:
singular: cleanuppolicy
scope: Namespaced
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.schedule
+ name: Schedule
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v2
+ schema:
+ openAPIV3Schema:
+ description: CleanupPolicy defines a rule for resource cleanup.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy behaviors.
+ properties:
+ conditions:
+ description: Conditions defines the conditions used to select the
+ resources which will be cleaned up.
+ properties:
+ all:
+ description: AllConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, all of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: AnyConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, at least one of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ context:
+ description: Context defines variables and data sources that can be
+ used during rule execution.
+ items:
+ description: ContextEntry adds variables and data sources to a rule
+ Context. Either a ConfigMap reference or a APILookup must be provided.
+ properties:
+ apiCall:
+ description: APICall is an HTTP request to the Kubernetes API
+ server, or other JSON web service. The data returned is stored
+ in the context with the name for the context entry.
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data
+ value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the JSON response returned
+ from the server. For example a JMESPath of "items | length(@)"
+ applied to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all
+ namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which
+ will be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical
+ form is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP
+ GET or POST request to the Kubernetes API server (e.g.
+ "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl
+ get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap namespace.
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: ImageRegistry defines requests to an OCI/Docker
+ V2 registry to fetch image details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides credentials
+ that will be used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows insecure access
+ to a registry.
+ type: boolean
+ providers:
+ description: 'Providers specifies a list of OCI Registry
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: Secrets specifies a list of secrets that
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the ImageData struct returned
+ as a result of processing the image reference.
+ type: string
+ reference:
+ description: 'Reference is image reference to a container
+ image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath context
+ variable that can be defined inline.
+ properties:
+ default:
+ description: Default is an optional arbitrary JSON object
+ that the variable may take if the JMESPath expression
+ evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: JMESPath is an optional JMESPath Expression
+ that can be used to transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON object representable
+ in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ exclude:
+ description: ExcludeResources defines when cleanuppolicy should not
+ be applied. The exclude criteria can include resource information
+ (e.g. kind, name, namespace, labels) and admission review request
+ information like the name or role.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ match:
+ description: MatchResources defines when cleanuppolicy should be applied.
+ The match criteria can include resource information (e.g. kind,
+ name, namespace, labels) and admission review request information
+ like the user name or role. At least one kind is required.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ schedule:
+ description: The schedule in Cron format
+ type: string
+ required:
+ - schedule
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastExecutionTime:
+ format: date-time
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
@@ -4981,6 +6222,1247 @@ spec:
singular: clustercleanuppolicy
scope: Cluster
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.schedule
+ name: Schedule
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v2
+ schema:
+ openAPIV3Schema:
+ description: ClusterCleanupPolicy defines rule for resource cleanup.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy behaviors.
+ properties:
+ conditions:
+ description: Conditions defines the conditions used to select the
+ resources which will be cleaned up.
+ properties:
+ all:
+ description: AllConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, all of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: AnyConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, at least one of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ context:
+ description: Context defines variables and data sources that can be
+ used during rule execution.
+ items:
+ description: ContextEntry adds variables and data sources to a rule
+ Context. Either a ConfigMap reference or a APILookup must be provided.
+ properties:
+ apiCall:
+ description: APICall is an HTTP request to the Kubernetes API
+ server, or other JSON web service. The data returned is stored
+ in the context with the name for the context entry.
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data
+ value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the JSON response returned
+ from the server. For example a JMESPath of "items | length(@)"
+ applied to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all
+ namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which
+ will be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical
+ form is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP
+ GET or POST request to the Kubernetes API server (e.g.
+ "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl
+ get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap namespace.
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: ImageRegistry defines requests to an OCI/Docker
+ V2 registry to fetch image details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides credentials
+ that will be used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows insecure access
+ to a registry.
+ type: boolean
+ providers:
+ description: 'Providers specifies a list of OCI Registry
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: Secrets specifies a list of secrets that
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the ImageData struct returned
+ as a result of processing the image reference.
+ type: string
+ reference:
+ description: 'Reference is image reference to a container
+ image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath context
+ variable that can be defined inline.
+ properties:
+ default:
+ description: Default is an optional arbitrary JSON object
+ that the variable may take if the JMESPath expression
+ evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: JMESPath is an optional JMESPath Expression
+ that can be used to transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON object representable
+ in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ exclude:
+ description: ExcludeResources defines when cleanuppolicy should not
+ be applied. The exclude criteria can include resource information
+ (e.g. kind, name, namespace, labels) and admission review request
+ information like the name or role.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ match:
+ description: MatchResources defines when cleanuppolicy should be applied.
+ The match criteria can include resource information (e.g. kind,
+ name, namespace, labels) and admission review request information
+ like the user name or role. At least one kind is required.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ schedule:
+ description: The schedule in Cron format
+ type: string
+ required:
+ - schedule
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastExecutionTime:
+ format: date-time
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
diff --git a/config/crds/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno.io_cleanuppolicies.yaml
index dcba01e640..ca4a4e50d0 100644
--- a/config/crds/kyverno.io_cleanuppolicies.yaml
+++ b/config/crds/kyverno.io_cleanuppolicies.yaml
@@ -18,6 +18,1247 @@ spec:
singular: cleanuppolicy
scope: Namespaced
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.schedule
+ name: Schedule
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v2
+ schema:
+ openAPIV3Schema:
+ description: CleanupPolicy defines a rule for resource cleanup.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy behaviors.
+ properties:
+ conditions:
+ description: Conditions defines the conditions used to select the
+ resources which will be cleaned up.
+ properties:
+ all:
+ description: AllConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, all of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: AnyConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, at least one of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ context:
+ description: Context defines variables and data sources that can be
+ used during rule execution.
+ items:
+ description: ContextEntry adds variables and data sources to a rule
+ Context. Either a ConfigMap reference or a APILookup must be provided.
+ properties:
+ apiCall:
+ description: APICall is an HTTP request to the Kubernetes API
+ server, or other JSON web service. The data returned is stored
+ in the context with the name for the context entry.
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data
+ value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the JSON response returned
+ from the server. For example a JMESPath of "items | length(@)"
+ applied to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all
+ namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which
+ will be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical
+ form is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP
+ GET or POST request to the Kubernetes API server (e.g.
+ "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl
+ get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap namespace.
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: ImageRegistry defines requests to an OCI/Docker
+ V2 registry to fetch image details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides credentials
+ that will be used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows insecure access
+ to a registry.
+ type: boolean
+ providers:
+ description: 'Providers specifies a list of OCI Registry
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: Secrets specifies a list of secrets that
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the ImageData struct returned
+ as a result of processing the image reference.
+ type: string
+ reference:
+ description: 'Reference is image reference to a container
+ image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath context
+ variable that can be defined inline.
+ properties:
+ default:
+ description: Default is an optional arbitrary JSON object
+ that the variable may take if the JMESPath expression
+ evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: JMESPath is an optional JMESPath Expression
+ that can be used to transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON object representable
+ in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ exclude:
+ description: ExcludeResources defines when cleanuppolicy should not
+ be applied. The exclude criteria can include resource information
+ (e.g. kind, name, namespace, labels) and admission review request
+ information like the name or role.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ match:
+ description: MatchResources defines when cleanuppolicy should be applied.
+ The match criteria can include resource information (e.g. kind,
+ name, namespace, labels) and admission review request information
+ like the user name or role. At least one kind is required.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ schedule:
+ description: The schedule in Cron format
+ type: string
+ required:
+ - schedule
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastExecutionTime:
+ format: date-time
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
diff --git a/config/crds/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno.io_clustercleanuppolicies.yaml
index f36f32c4f7..cfa9264d10 100644
--- a/config/crds/kyverno.io_clustercleanuppolicies.yaml
+++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml
@@ -18,6 +18,1247 @@ spec:
singular: clustercleanuppolicy
scope: Cluster
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.schedule
+ name: Schedule
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v2
+ schema:
+ openAPIV3Schema:
+ description: ClusterCleanupPolicy defines rule for resource cleanup.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy behaviors.
+ properties:
+ conditions:
+ description: Conditions defines the conditions used to select the
+ resources which will be cleaned up.
+ properties:
+ all:
+ description: AllConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, all of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: AnyConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, at least one of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ context:
+ description: Context defines variables and data sources that can be
+ used during rule execution.
+ items:
+ description: ContextEntry adds variables and data sources to a rule
+ Context. Either a ConfigMap reference or a APILookup must be provided.
+ properties:
+ apiCall:
+ description: APICall is an HTTP request to the Kubernetes API
+ server, or other JSON web service. The data returned is stored
+ in the context with the name for the context entry.
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data
+ value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the JSON response returned
+ from the server. For example a JMESPath of "items | length(@)"
+ applied to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all
+ namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which
+ will be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical
+ form is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP
+ GET or POST request to the Kubernetes API server (e.g.
+ "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl
+ get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap namespace.
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: ImageRegistry defines requests to an OCI/Docker
+ V2 registry to fetch image details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides credentials
+ that will be used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows insecure access
+ to a registry.
+ type: boolean
+ providers:
+ description: 'Providers specifies a list of OCI Registry
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: Secrets specifies a list of secrets that
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the ImageData struct returned
+ as a result of processing the image reference.
+ type: string
+ reference:
+ description: 'Reference is image reference to a container
+ image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath context
+ variable that can be defined inline.
+ properties:
+ default:
+ description: Default is an optional arbitrary JSON object
+ that the variable may take if the JMESPath expression
+ evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: JMESPath is an optional JMESPath Expression
+ that can be used to transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON object representable
+ in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ exclude:
+ description: ExcludeResources defines when cleanuppolicy should not
+ be applied. The exclude criteria can include resource information
+ (e.g. kind, name, namespace, labels) and admission review request
+ information like the name or role.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ match:
+ description: MatchResources defines when cleanuppolicy should be applied.
+ The match criteria can include resource information (e.g. kind,
+ name, namespace, labels) and admission review request information
+ like the user name or role. At least one kind is required.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ schedule:
+ description: The schedule in Cron format
+ type: string
+ required:
+ - schedule
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastExecutionTime:
+ format: date-time
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index 12a1ac684c..150cafeb2e 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -1458,6 +1458,1247 @@ spec:
singular: cleanuppolicy
scope: Namespaced
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.schedule
+ name: Schedule
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v2
+ schema:
+ openAPIV3Schema:
+ description: CleanupPolicy defines a rule for resource cleanup.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy behaviors.
+ properties:
+ conditions:
+ description: Conditions defines the conditions used to select the
+ resources which will be cleaned up.
+ properties:
+ all:
+ description: AllConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, all of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: AnyConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, at least one of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ context:
+ description: Context defines variables and data sources that can be
+ used during rule execution.
+ items:
+ description: ContextEntry adds variables and data sources to a rule
+ Context. Either a ConfigMap reference or a APILookup must be provided.
+ properties:
+ apiCall:
+ description: APICall is an HTTP request to the Kubernetes API
+ server, or other JSON web service. The data returned is stored
+ in the context with the name for the context entry.
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data
+ value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the JSON response returned
+ from the server. For example a JMESPath of "items | length(@)"
+ applied to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all
+ namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which
+ will be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical
+ form is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP
+ GET or POST request to the Kubernetes API server (e.g.
+ "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl
+ get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap namespace.
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: ImageRegistry defines requests to an OCI/Docker
+ V2 registry to fetch image details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides credentials
+ that will be used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows insecure access
+ to a registry.
+ type: boolean
+ providers:
+ description: 'Providers specifies a list of OCI Registry
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: Secrets specifies a list of secrets that
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the ImageData struct returned
+ as a result of processing the image reference.
+ type: string
+ reference:
+ description: 'Reference is image reference to a container
+ image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath context
+ variable that can be defined inline.
+ properties:
+ default:
+ description: Default is an optional arbitrary JSON object
+ that the variable may take if the JMESPath expression
+ evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: JMESPath is an optional JMESPath Expression
+ that can be used to transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON object representable
+ in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ exclude:
+ description: ExcludeResources defines when cleanuppolicy should not
+ be applied. The exclude criteria can include resource information
+ (e.g. kind, name, namespace, labels) and admission review request
+ information like the name or role.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ match:
+ description: MatchResources defines when cleanuppolicy should be applied.
+ The match criteria can include resource information (e.g. kind,
+ name, namespace, labels) and admission review request information
+ like the user name or role. At least one kind is required.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ schedule:
+ description: The schedule in Cron format
+ type: string
+ required:
+ - schedule
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastExecutionTime:
+ format: date-time
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
@@ -5198,6 +6439,1247 @@ spec:
singular: clustercleanuppolicy
scope: Cluster
versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.schedule
+ name: Schedule
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v2
+ schema:
+ openAPIV3Schema:
+ description: ClusterCleanupPolicy defines rule for resource cleanup.
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Spec declares policy behaviors.
+ properties:
+ conditions:
+ description: Conditions defines the conditions used to select the
+ resources which will be cleaned up.
+ properties:
+ all:
+ description: AllConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, all of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ any:
+ description: AnyConditions enable variable-based conditional rule
+ execution. This is useful for finer control of when an rule
+ is applied. A condition can reference object data using JMESPath
+ notation. Here, at least one of the conditions need to pass.
+ items:
+ properties:
+ key:
+ description: Key is the context entry (using JMESPath) for
+ conditional rule evaluation.
+ x-kubernetes-preserve-unknown-fields: true
+ message:
+ description: Message is an optional display message
+ type: string
+ operator:
+ description: 'Operator is the conditional operation to perform.
+ Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
+ NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
+ LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
+ DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
+ enum:
+ - Equals
+ - NotEquals
+ - AnyIn
+ - AllIn
+ - AnyNotIn
+ - AllNotIn
+ - GreaterThanOrEquals
+ - GreaterThan
+ - LessThanOrEquals
+ - LessThan
+ - DurationGreaterThanOrEquals
+ - DurationGreaterThan
+ - DurationLessThanOrEquals
+ - DurationLessThan
+ type: string
+ value:
+ description: Value is the conditional value, or set of values.
+ The values can be fixed set or can be variables declared
+ using JMESPath.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: array
+ type: object
+ context:
+ description: Context defines variables and data sources that can be
+ used during rule execution.
+ items:
+ description: ContextEntry adds variables and data sources to a rule
+ Context. Either a ConfigMap reference or a APILookup must be provided.
+ properties:
+ apiCall:
+ description: APICall is an HTTP request to the Kubernetes API
+ server, or other JSON web service. The data returned is stored
+ in the context with the name for the context entry.
+ properties:
+ data:
+ description: Data specifies the POST data sent to the server.
+ items:
+ description: RequestData contains the HTTP POST data
+ properties:
+ key:
+ description: Key is a unique identifier for the data
+ value
+ type: string
+ value:
+ description: Value is the data value
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the JSON response returned
+ from the server. For example a JMESPath of "items | length(@)"
+ applied to the API server response for the URLPath "/apis/apps/v1/deployments"
+ will return the total count of deployments across all
+ namespaces.
+ type: string
+ method:
+ default: GET
+ description: Method is the HTTP request type (GET or POST).
+ enum:
+ - GET
+ - POST
+ type: string
+ service:
+ description: Service is an API call to a JSON web service
+ properties:
+ caBundle:
+ description: CABundle is a PEM encoded CA bundle which
+ will be used to validate the server certificate.
+ type: string
+ url:
+ description: URL is the JSON web service URL. A typical
+ form is `https://{service}.{namespace}:{port}/{path}`.
+ type: string
+ required:
+ - url
+ type: object
+ urlPath:
+ description: URLPath is the URL path to be used in the HTTP
+ GET or POST request to the Kubernetes API server (e.g.
+ "/api/v1/namespaces" or "/apis/apps/v1/deployments").
+ The format required is the same format used by the `kubectl
+ get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+ for details.
+ type: string
+ type: object
+ configMap:
+ description: ConfigMap is the ConfigMap reference.
+ properties:
+ name:
+ description: Name is the ConfigMap name.
+ type: string
+ namespace:
+ description: Namespace is the ConfigMap namespace.
+ type: string
+ required:
+ - name
+ type: object
+ imageRegistry:
+ description: ImageRegistry defines requests to an OCI/Docker
+ V2 registry to fetch image details.
+ properties:
+ imageRegistryCredentials:
+ description: ImageRegistryCredentials provides credentials
+ that will be used for authentication with registry
+ properties:
+ allowInsecureRegistry:
+ description: AllowInsecureRegistry allows insecure access
+ to a registry.
+ type: boolean
+ providers:
+ description: 'Providers specifies a list of OCI Registry
+ names, whose authentication providers are provided.
+ It can be of one of these values: default,google,azure,amazon,github.'
+ items:
+ description: ImageRegistryCredentialsProvidersType
+ provides the list of credential providers required.
+ enum:
+ - default
+ - amazon
+ - azure
+ - google
+ - github
+ type: string
+ type: array
+ secrets:
+ description: Secrets specifies a list of secrets that
+ are provided for credentials. Secrets must live in
+ the Kyverno namespace.
+ items:
+ type: string
+ type: array
+ type: object
+ jmesPath:
+ description: JMESPath is an optional JSON Match Expression
+ that can be used to transform the ImageData struct returned
+ as a result of processing the image reference.
+ type: string
+ reference:
+ description: 'Reference is image reference to a container
+ image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
+ type: string
+ required:
+ - reference
+ type: object
+ name:
+ description: Name is the variable name.
+ type: string
+ variable:
+ description: Variable defines an arbitrary JMESPath context
+ variable that can be defined inline.
+ properties:
+ default:
+ description: Default is an optional arbitrary JSON object
+ that the variable may take if the JMESPath expression
+ evaluates to nil
+ x-kubernetes-preserve-unknown-fields: true
+ jmesPath:
+ description: JMESPath is an optional JMESPath Expression
+ that can be used to transform the variable.
+ type: string
+ value:
+ description: Value is any arbitrary JSON object representable
+ in YAML or JSON form.
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ exclude:
+ description: ExcludeResources defines when cleanuppolicy should not
+ be applied. The exclude criteria can include resource information
+ (e.g. kind, name, namespace, labels) and admission review request
+ information like the name or role.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ match:
+ description: MatchResources defines when cleanuppolicy should be applied.
+ The match criteria can include resource information (e.g. kind,
+ name, namespace, labels) and admission review request information
+ like the user name or role. At least one kind is required.
+ properties:
+ all:
+ description: All allows specifying resources which will be ANDed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ any:
+ description: Any allows specifying resources which will be ORed
+ items:
+ description: ResourceFilter allow users to "AND" or "OR" between
+ resources
+ properties:
+ clusterRoles:
+ description: ClusterRoles is the list of cluster-wide role
+ names for the user.
+ items:
+ type: string
+ type: array
+ resources:
+ description: ResourceDescription contains information about
+ the resource being created or modified.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ description: Annotations is a map of annotations (key-value
+ pairs of type string). Annotation keys and values
+ support the wildcard characters "*" (matches zero
+ or many characters) and "?" (matches at least one
+ character).
+ type: object
+ kinds:
+ description: Kinds is a list of resource kinds.
+ items:
+ type: string
+ type: array
+ name:
+ description: 'Name is the name of the resource. The
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ NOTE: "Name" is being deprecated in favor of "Names".'
+ type: string
+ names:
+ description: Names are the names of the resources. Each
+ name supports wildcard characters "*" (matches zero
+ or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: 'NamespaceSelector is a label selector
+ for the resource namespace. Label keys and values
+ in `matchLabels` support the wildcard characters `*`
+ (matches zero or many characters) and `?` (matches
+ one character).Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Namespaces is a list of namespaces names.
+ Each name supports wildcard characters "*" (matches
+ zero or many characters) and "?" (at least one character).
+ items:
+ type: string
+ type: array
+ operations:
+ description: Operations can contain values ["CREATE,
+ "UPDATE", "CONNECT", "DELETE"], which are used to
+ match a specific action.
+ items:
+ description: AdmissionOperation can have one of the
+ values CREATE, UPDATE, CONNECT, DELETE, which are
+ used to match a specific action.
+ enum:
+ - CREATE
+ - CONNECT
+ - UPDATE
+ - DELETE
+ type: string
+ type: array
+ selector:
+ description: 'Selector is a label selector. Label keys
+ and values in `matchLabels` support the wildcard characters
+ `*` (matches zero or many characters) and `?` (matches
+ one character). Wildcards allows writing label selectors
+ like ["storage.k8s.io/*": "*"]. Note that using ["*"
+ : "*"] matches any key and value but does not match
+ an empty label set.'
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a
+ selector that contains values, a key, and an
+ operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship
+ to a set of values. Valid operators are
+ In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string
+ values. If the operator is In or NotIn,
+ the values array must be non-empty. If the
+ operator is Exists or DoesNotExist, the
+ values array must be empty. This array is
+ replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value}
+ pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In",
+ and the values array contains only "value". The
+ requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ roles:
+ description: Roles is the list of namespaced role names
+ for the user.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: Subjects is the list of subject names like
+ users, user groups, and service accounts.
+ items:
+ description: Subject contains a reference to the object
+ or user identities a role binding applies to. This
+ can either hold a direct API object reference, or a
+ value for non-objects such as user and group names.
+ properties:
+ apiGroup:
+ description: APIGroup holds the API group of the referenced
+ subject. Defaults to "" for ServiceAccount subjects.
+ Defaults to "rbac.authorization.k8s.io" for User
+ and Group subjects.
+ type: string
+ kind:
+ description: Kind of object being referenced. Values
+ defined by this API group are "User", "Group", and
+ "ServiceAccount". If the Authorizer does not recognized
+ the kind value, the Authorizer should report an
+ error.
+ type: string
+ name:
+ description: Name of the object being referenced.
+ type: string
+ namespace:
+ description: Namespace of the referenced object. If
+ the object kind is non-namespace, such as "User"
+ or "Group", and this value is not empty the Authorizer
+ should report an error.
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ type: object
+ type: array
+ type: object
+ schedule:
+ description: The schedule in Cron format
+ type: string
+ required:
+ - schedule
+ type: object
+ status:
+ description: Status contains policy runtime data.
+ properties:
+ conditions:
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource. --- This struct is intended for direct
+ use as an array at the field path .status.conditions. For example,
+ \n type FooStatus struct{ // Represents the observations of a
+ foo's current state. // Known .status.conditions.type are: \"Available\",
+ \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
+ // +listType=map // +listMapKey=type Conditions []metav1.Condition
+ `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
+ protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
+ properties:
+ lastTransitionTime:
+ description: lastTransitionTime is the last time the condition
+ transitioned from one status to another. This should be when
+ the underlying condition changed. If that is not known, then
+ using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: message is a human readable message indicating
+ details about the transition. This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: observedGeneration represents the .metadata.generation
+ that the condition was set based upon. For instance, if .metadata.generation
+ is currently 12, but the .status.conditions[x].observedGeneration
+ is 9, the condition is out of date with respect to the current
+ state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: reason contains a programmatic identifier indicating
+ the reason for the condition's last transition. Producers
+ of specific condition types may define expected values and
+ meanings for this field, and whether the values are considered
+ a guaranteed API. The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: type of condition in CamelCase or in foo.example.com/CamelCase.
+ --- Many .condition.type values are consistent across resources
+ like Available, but because arbitrary conditions can be useful
+ (see .node.status.conditions), the ability to deconflict is
+ important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ lastExecutionTime:
+ format: date-time
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
- additionalPrinterColumns:
- jsonPath: .spec.schedule
name: Schedule
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index 79def009e2..425405331c 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -1373,6 +1373,7 @@ string
ForEachValidation,
Rule,
TargetResourceSpec,
+CleanupPolicySpec,
CleanupPolicySpec,
Rule)
@@ -3226,6 +3227,7 @@ ResourceDescription
(Appears on:
MatchResources,
+MatchResources,
MatchResources)
@@ -5334,10 +5336,14 @@ Resource Types:
BackgroundScanReport
+CleanupPolicy
+
ClusterAdmissionReport
ClusterBackgroundScanReport
+ClusterCleanupPolicy
+
PolicyException
@@ -5536,6 +5542,155 @@ PolicyReportSummary
+CleanupPolicy
+
+
+
CleanupPolicy defines a rule for resource cleanup.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+apiVersion
+string |
+
+
+kyverno.io/v2
+
+ |
+
+
+
+kind
+string
+ |
+CleanupPolicy |
+
+
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+
+
+spec
+
+
+CleanupPolicySpec
+
+
+ |
+
+ Spec declares policy behaviors.
+
+
+
+
+
+context
+
+
+[]ContextEntry
+
+
+ |
+
+(Optional)
+ Context defines variables and data sources that can be used during rule execution.
+ |
+
+
+
+match
+
+
+MatchResources
+
+
+ |
+
+ MatchResources defines when cleanuppolicy should be applied. The match
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the user name or role.
+At least one kind is required.
+ |
+
+
+
+exclude
+
+
+MatchResources
+
+
+ |
+
+(Optional)
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the name or role.
+ |
+
+
+
+schedule
+
+string
+
+ |
+
+ The schedule in Cron format
+ |
+
+
+
+conditions
+
+
+AnyAllConditions
+
+
+ |
+
+(Optional)
+ Conditions defines the conditions used to select the resources which will be cleaned up.
+ |
+
+
+ |
+
+
+
+status
+
+
+CleanupPolicyStatus
+
+
+ |
+
+(Optional)
+ Status contains policy runtime data.
+ |
+
+
+
+
ClusterAdmissionReport
@@ -5731,6 +5886,155 @@ PolicyReportSummary
+ClusterCleanupPolicy
+
+
+
ClusterCleanupPolicy defines rule for resource cleanup.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+apiVersion
+string |
+
+
+kyverno.io/v2
+
+ |
+
+
+
+kind
+string
+ |
+ClusterCleanupPolicy |
+
+
+
+metadata
+
+
+Kubernetes meta/v1.ObjectMeta
+
+
+ |
+
+Refer to the Kubernetes API documentation for the fields of the
+metadata field.
+ |
+
+
+
+spec
+
+
+CleanupPolicySpec
+
+
+ |
+
+ Spec declares policy behaviors.
+
+
+
+
+
+context
+
+
+[]ContextEntry
+
+
+ |
+
+(Optional)
+ Context defines variables and data sources that can be used during rule execution.
+ |
+
+
+
+match
+
+
+MatchResources
+
+
+ |
+
+ MatchResources defines when cleanuppolicy should be applied. The match
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the user name or role.
+At least one kind is required.
+ |
+
+
+
+exclude
+
+
+MatchResources
+
+
+ |
+
+(Optional)
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the name or role.
+ |
+
+
+
+schedule
+
+string
+
+ |
+
+ The schedule in Cron format
+ |
+
+
+
+conditions
+
+
+AnyAllConditions
+
+
+ |
+
+(Optional)
+ Conditions defines the conditions used to select the resources which will be cleaned up.
+ |
+
+
+ |
+
+
+
+status
+
+
+CleanupPolicyStatus
+
+
+ |
+
+(Optional)
+ Status contains policy runtime data.
+ |
+
+
+
+
PolicyException
@@ -5912,6 +6216,59 @@ PolicyReportSummary
+AnyAllConditions
+
+
+(Appears on:
+CleanupPolicySpec)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+any
+
+
+[]Condition
+
+
+ |
+
+(Optional)
+ AnyConditions enable variable-based conditional rule execution. This is useful for
+finer control of when an rule is applied. A condition can reference object data
+using JMESPath notation.
+Here, at least one of the conditions need to pass.
+ |
+
+
+
+all
+
+
+[]Condition
+
+
+ |
+
+(Optional)
+ AllConditions enable variable-based conditional rule execution. This is useful for
+finer control of when an rule is applied. A condition can reference object data
+using JMESPath notation.
+Here, all of the conditions need to pass.
+ |
+
+
+
+
BackgroundScanReportSpec
@@ -5962,6 +6319,227 @@ PolicyReportSummary
+CleanupPolicySpec
+
+
+(Appears on:
+CleanupPolicy,
+ClusterCleanupPolicy)
+
+
+
CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+and schedule when the matching resources needs deleted.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+context
+
+
+[]ContextEntry
+
+
+ |
+
+(Optional)
+ Context defines variables and data sources that can be used during rule execution.
+ |
+
+
+
+match
+
+
+MatchResources
+
+
+ |
+
+ MatchResources defines when cleanuppolicy should be applied. The match
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the user name or role.
+At least one kind is required.
+ |
+
+
+
+exclude
+
+
+MatchResources
+
+
+ |
+
+(Optional)
+ ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+criteria can include resource information (e.g. kind, name, namespace, labels)
+and admission review request information like the name or role.
+ |
+
+
+
+schedule
+
+string
+
+ |
+
+ The schedule in Cron format
+ |
+
+
+
+conditions
+
+
+AnyAllConditions
+
+
+ |
+
+(Optional)
+ Conditions defines the conditions used to select the resources which will be cleaned up.
+ |
+
+
+
+
+CleanupPolicyStatus
+
+
+(Appears on:
+CleanupPolicy,
+ClusterCleanupPolicy)
+
+
+
CleanupPolicyStatus stores the status of the policy.
+
+
+
+Condition
+
+
+(Appears on:
+AnyAllConditions)
+
+
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+key
+
+
+Kubernetes apiextensions/v1.JSON
+
+
+ |
+
+ Key is the context entry (using JMESPath) for conditional rule evaluation.
+ |
+
+
+
+operator
+
+
+ConditionOperator
+
+
+ |
+
+ Operator is the conditional operation to perform. Valid operators are:
+Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+DurationLessThanOrEquals, DurationLessThan
+ |
+
+
+
+value
+
+
+Kubernetes apiextensions/v1.JSON
+
+
+ |
+
+(Optional)
+ Value is the conditional value, or set of values. The values can be fixed set
+or can be variables declared using JMESPath.
+ |
+
+
+
+message
+
+string
+
+ |
+
+ Message is an optional display message
+ |
+
+
+
+
+ConditionOperator
+(string alias)
+
+(Appears on:
+Condition)
+
+
+
ConditionOperator is the operation performed on condition key and value.
+
Exception
@@ -6006,6 +6584,55 @@ references a ClusterPolicy.
+MatchResources
+
+
+(Appears on:
+CleanupPolicySpec)
+
+
+
MatchResources is used to specify resource and admission review request data for
+which a policy rule is applicable.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+
+any
+
+
+ResourceFilters
+
+
+ |
+
+(Optional)
+ Any allows specifying resources which will be ORed
+ |
+
+
+
+all
+
+
+ResourceFilters
+
+
+ |
+
+(Optional)
+ All allows specifying resources which will be ANDed
+ |
+
+
+
+
PolicyExceptionSpec
diff --git a/pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go b/pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go
new file mode 100644
index 0000000000..3a8b081583
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/anyallconditions.go
@@ -0,0 +1,58 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+// AnyAllConditionsApplyConfiguration represents an declarative configuration of the AnyAllConditions type for use
+// with apply.
+type AnyAllConditionsApplyConfiguration struct {
+ AnyConditions []ConditionApplyConfiguration `json:"any,omitempty"`
+ AllConditions []ConditionApplyConfiguration `json:"all,omitempty"`
+}
+
+// AnyAllConditionsApplyConfiguration constructs an declarative configuration of the AnyAllConditions type for use with
+// apply.
+func AnyAllConditions() *AnyAllConditionsApplyConfiguration {
+ return &AnyAllConditionsApplyConfiguration{}
+}
+
+// WithAnyConditions adds the given value to the AnyConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AnyConditions field.
+func (b *AnyAllConditionsApplyConfiguration) WithAnyConditions(values ...*ConditionApplyConfiguration) *AnyAllConditionsApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithAnyConditions")
+ }
+ b.AnyConditions = append(b.AnyConditions, *values[i])
+ }
+ return b
+}
+
+// WithAllConditions adds the given value to the AllConditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AllConditions field.
+func (b *AnyAllConditionsApplyConfiguration) WithAllConditions(values ...*ConditionApplyConfiguration) *AnyAllConditionsApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithAllConditions")
+ }
+ b.AllConditions = append(b.AllConditions, *values[i])
+ }
+ return b
+}
diff --git a/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go
new file mode 100644
index 0000000000..f1d49d909d
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicy.go
@@ -0,0 +1,219 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// CleanupPolicyApplyConfiguration represents an declarative configuration of the CleanupPolicy type for use
+// with apply.
+type CleanupPolicyApplyConfiguration struct {
+ v1.TypeMetaApplyConfiguration `json:",omitempty,inline"`
+ *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+ Spec *CleanupPolicySpecApplyConfiguration `json:"spec,omitempty"`
+ Status *CleanupPolicyStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// CleanupPolicy constructs an declarative configuration of the CleanupPolicy type for use with
+// apply.
+func CleanupPolicy(name, namespace string) *CleanupPolicyApplyConfiguration {
+ b := &CleanupPolicyApplyConfiguration{}
+ b.WithName(name)
+ b.WithNamespace(namespace)
+ b.WithKind("CleanupPolicy")
+ b.WithAPIVersion("kyverno.io/v2")
+ return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithKind(value string) *CleanupPolicyApplyConfiguration {
+ b.Kind = &value
+ return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithAPIVersion(value string) *CleanupPolicyApplyConfiguration {
+ b.APIVersion = &value
+ return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithName(value string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Name = &value
+ return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithGenerateName(value string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.GenerateName = &value
+ return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithNamespace(value string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Namespace = &value
+ return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithUID(value types.UID) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.UID = &value
+ return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithResourceVersion(value string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ResourceVersion = &value
+ return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithGeneration(value int64) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Generation = &value
+ return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.CreationTimestamp = &value
+ return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.DeletionTimestamp = &value
+ return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.DeletionGracePeriodSeconds = &value
+ return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *CleanupPolicyApplyConfiguration) WithLabels(entries map[string]string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.Labels == nil && len(entries) > 0 {
+ b.Labels = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.Labels[k] = v
+ }
+ return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *CleanupPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.Annotations == nil && len(entries) > 0 {
+ b.Annotations = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.Annotations[k] = v
+ }
+ return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *CleanupPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithOwnerReferences")
+ }
+ b.OwnerReferences = append(b.OwnerReferences, *values[i])
+ }
+ return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *CleanupPolicyApplyConfiguration) WithFinalizers(values ...string) *CleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ b.Finalizers = append(b.Finalizers, values[i])
+ }
+ return b
+}
+
+func (b *CleanupPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+ if b.ObjectMetaApplyConfiguration == nil {
+ b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+ }
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithSpec(value *CleanupPolicySpecApplyConfiguration) *CleanupPolicyApplyConfiguration {
+ b.Spec = value
+ return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *CleanupPolicyApplyConfiguration) WithStatus(value *CleanupPolicyStatusApplyConfiguration) *CleanupPolicyApplyConfiguration {
+ b.Status = value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go
new file mode 100644
index 0000000000..acbbba3bfc
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicyspec.go
@@ -0,0 +1,84 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ v1 "github.com/kyverno/kyverno/pkg/client/applyconfigurations/kyverno/v1"
+)
+
+// CleanupPolicySpecApplyConfiguration represents an declarative configuration of the CleanupPolicySpec type for use
+// with apply.
+type CleanupPolicySpecApplyConfiguration struct {
+ Context []v1.ContextEntryApplyConfiguration `json:"context,omitempty"`
+ MatchResources *MatchResourcesApplyConfiguration `json:"match,omitempty"`
+ ExcludeResources *MatchResourcesApplyConfiguration `json:"exclude,omitempty"`
+ Schedule *string `json:"schedule,omitempty"`
+ Conditions *AnyAllConditionsApplyConfiguration `json:"conditions,omitempty"`
+}
+
+// CleanupPolicySpecApplyConfiguration constructs an declarative configuration of the CleanupPolicySpec type for use with
+// apply.
+func CleanupPolicySpec() *CleanupPolicySpecApplyConfiguration {
+ return &CleanupPolicySpecApplyConfiguration{}
+}
+
+// WithContext adds the given value to the Context field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Context field.
+func (b *CleanupPolicySpecApplyConfiguration) WithContext(values ...*v1.ContextEntryApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithContext")
+ }
+ b.Context = append(b.Context, *values[i])
+ }
+ return b
+}
+
+// WithMatchResources sets the MatchResources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MatchResources field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithMatchResources(value *MatchResourcesApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+ b.MatchResources = value
+ return b
+}
+
+// WithExcludeResources sets the ExcludeResources field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ExcludeResources field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithExcludeResources(value *MatchResourcesApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+ b.ExcludeResources = value
+ return b
+}
+
+// WithSchedule sets the Schedule field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Schedule field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithSchedule(value string) *CleanupPolicySpecApplyConfiguration {
+ b.Schedule = &value
+ return b
+}
+
+// WithConditions sets the Conditions field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Conditions field is set to the value of the last call.
+func (b *CleanupPolicySpecApplyConfiguration) WithConditions(value *AnyAllConditionsApplyConfiguration) *CleanupPolicySpecApplyConfiguration {
+ b.Conditions = value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go
new file mode 100644
index 0000000000..42471820f5
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/cleanuppolicystatus.go
@@ -0,0 +1,54 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// CleanupPolicyStatusApplyConfiguration represents an declarative configuration of the CleanupPolicyStatus type for use
+// with apply.
+type CleanupPolicyStatusApplyConfiguration struct {
+ Conditions []v1.Condition `json:"conditions,omitempty"`
+ LastExecutionTime *v1.Time `json:"lastExecutionTime,omitempty"`
+}
+
+// CleanupPolicyStatusApplyConfiguration constructs an declarative configuration of the CleanupPolicyStatus type for use with
+// apply.
+func CleanupPolicyStatus() *CleanupPolicyStatusApplyConfiguration {
+ return &CleanupPolicyStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *CleanupPolicyStatusApplyConfiguration) WithConditions(values ...v1.Condition) *CleanupPolicyStatusApplyConfiguration {
+ for i := range values {
+ b.Conditions = append(b.Conditions, values[i])
+ }
+ return b
+}
+
+// WithLastExecutionTime sets the LastExecutionTime field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the LastExecutionTime field is set to the value of the last call.
+func (b *CleanupPolicyStatusApplyConfiguration) WithLastExecutionTime(value v1.Time) *CleanupPolicyStatusApplyConfiguration {
+ b.LastExecutionTime = &value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go b/pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go
new file mode 100644
index 0000000000..399cbf0c7b
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/clustercleanuppolicy.go
@@ -0,0 +1,218 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// ClusterCleanupPolicyApplyConfiguration represents an declarative configuration of the ClusterCleanupPolicy type for use
+// with apply.
+type ClusterCleanupPolicyApplyConfiguration struct {
+ v1.TypeMetaApplyConfiguration `json:",omitempty,inline"`
+ *v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+ Spec *CleanupPolicySpecApplyConfiguration `json:"spec,omitempty"`
+ Status *CleanupPolicyStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// ClusterCleanupPolicy constructs an declarative configuration of the ClusterCleanupPolicy type for use with
+// apply.
+func ClusterCleanupPolicy(name string) *ClusterCleanupPolicyApplyConfiguration {
+ b := &ClusterCleanupPolicyApplyConfiguration{}
+ b.WithName(name)
+ b.WithKind("ClusterCleanupPolicy")
+ b.WithAPIVersion("kyverno.io/v2")
+ return b
+}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithKind(value string) *ClusterCleanupPolicyApplyConfiguration {
+ b.Kind = &value
+ return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithAPIVersion(value string) *ClusterCleanupPolicyApplyConfiguration {
+ b.APIVersion = &value
+ return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithName(value string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Name = &value
+ return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithGenerateName(value string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.GenerateName = &value
+ return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithNamespace(value string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Namespace = &value
+ return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithUID(value types.UID) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.UID = &value
+ return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithResourceVersion(value string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.ResourceVersion = &value
+ return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithGeneration(value int64) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.Generation = &value
+ return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.CreationTimestamp = &value
+ return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.DeletionTimestamp = &value
+ return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ b.DeletionGracePeriodSeconds = &value
+ return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithLabels(entries map[string]string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.Labels == nil && len(entries) > 0 {
+ b.Labels = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.Labels[k] = v
+ }
+ return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithAnnotations(entries map[string]string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ if b.Annotations == nil && len(entries) > 0 {
+ b.Annotations = make(map[string]string, len(entries))
+ }
+ for k, v := range entries {
+ b.Annotations[k] = v
+ }
+ return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ if values[i] == nil {
+ panic("nil value passed to WithOwnerReferences")
+ }
+ b.OwnerReferences = append(b.OwnerReferences, *values[i])
+ }
+ return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithFinalizers(values ...string) *ClusterCleanupPolicyApplyConfiguration {
+ b.ensureObjectMetaApplyConfigurationExists()
+ for i := range values {
+ b.Finalizers = append(b.Finalizers, values[i])
+ }
+ return b
+}
+
+func (b *ClusterCleanupPolicyApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+ if b.ObjectMetaApplyConfiguration == nil {
+ b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+ }
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithSpec(value *CleanupPolicySpecApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration {
+ b.Spec = value
+ return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *ClusterCleanupPolicyApplyConfiguration) WithStatus(value *CleanupPolicyStatusApplyConfiguration) *ClusterCleanupPolicyApplyConfiguration {
+ b.Status = value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/kyverno/v2/condition.go b/pkg/client/applyconfigurations/kyverno/v2/condition.go
new file mode 100644
index 0000000000..fe319c66f4
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/condition.go
@@ -0,0 +1,71 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+)
+
+// ConditionApplyConfiguration represents an declarative configuration of the Condition type for use
+// with apply.
+type ConditionApplyConfiguration struct {
+ RawKey *v1.JSON `json:"key,omitempty"`
+ Operator *v2.ConditionOperator `json:"operator,omitempty"`
+ RawValue *v1.JSON `json:"value,omitempty"`
+ Message *string `json:"message,omitempty"`
+}
+
+// ConditionApplyConfiguration constructs an declarative configuration of the Condition type for use with
+// apply.
+func Condition() *ConditionApplyConfiguration {
+ return &ConditionApplyConfiguration{}
+}
+
+// WithRawKey sets the RawKey field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RawKey field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithRawKey(value v1.JSON) *ConditionApplyConfiguration {
+ b.RawKey = &value
+ return b
+}
+
+// WithOperator sets the Operator field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Operator field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithOperator(value v2.ConditionOperator) *ConditionApplyConfiguration {
+ b.Operator = &value
+ return b
+}
+
+// WithRawValue sets the RawValue field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RawValue field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithRawValue(value v1.JSON) *ConditionApplyConfiguration {
+ b.RawValue = &value
+ return b
+}
+
+// WithMessage sets the Message field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Message field is set to the value of the last call.
+func (b *ConditionApplyConfiguration) WithMessage(value string) *ConditionApplyConfiguration {
+ b.Message = &value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/kyverno/v2/matchresources.go b/pkg/client/applyconfigurations/kyverno/v2/matchresources.go
new file mode 100644
index 0000000000..6d5fe8ab03
--- /dev/null
+++ b/pkg/client/applyconfigurations/kyverno/v2/matchresources.go
@@ -0,0 +1,52 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ v1 "github.com/kyverno/kyverno/api/kyverno/v1"
+)
+
+// MatchResourcesApplyConfiguration represents an declarative configuration of the MatchResources type for use
+// with apply.
+type MatchResourcesApplyConfiguration struct {
+ Any *v1.ResourceFilters `json:"any,omitempty"`
+ All *v1.ResourceFilters `json:"all,omitempty"`
+}
+
+// MatchResourcesApplyConfiguration constructs an declarative configuration of the MatchResources type for use with
+// apply.
+func MatchResources() *MatchResourcesApplyConfiguration {
+ return &MatchResourcesApplyConfiguration{}
+}
+
+// WithAny sets the Any field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Any field is set to the value of the last call.
+func (b *MatchResourcesApplyConfiguration) WithAny(value v1.ResourceFilters) *MatchResourcesApplyConfiguration {
+ b.Any = &value
+ return b
+}
+
+// WithAll sets the All field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the All field is set to the value of the last call.
+func (b *MatchResourcesApplyConfiguration) WithAll(value v1.ResourceFilters) *MatchResourcesApplyConfiguration {
+ b.All = &value
+ return b
+}
diff --git a/pkg/client/applyconfigurations/utils.go b/pkg/client/applyconfigurations/utils.go
index 3829bc2e74..f307e02b09 100644
--- a/pkg/client/applyconfigurations/utils.go
+++ b/pkg/client/applyconfigurations/utils.go
@@ -171,16 +171,30 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
return &kyvernov2.AdmissionReportApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("AdmissionReportSpec"):
return &kyvernov2.AdmissionReportSpecApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("AnyAllConditions"):
+ return &kyvernov2.AnyAllConditionsApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("BackgroundScanReport"):
return &kyvernov2.BackgroundScanReportApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("BackgroundScanReportSpec"):
return &kyvernov2.BackgroundScanReportSpecApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("CleanupPolicy"):
+ return &kyvernov2.CleanupPolicyApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("CleanupPolicySpec"):
+ return &kyvernov2.CleanupPolicySpecApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("CleanupPolicyStatus"):
+ return &kyvernov2.CleanupPolicyStatusApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("ClusterAdmissionReport"):
return &kyvernov2.ClusterAdmissionReportApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("ClusterBackgroundScanReport"):
return &kyvernov2.ClusterBackgroundScanReportApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("ClusterCleanupPolicy"):
+ return &kyvernov2.ClusterCleanupPolicyApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("Condition"):
+ return &kyvernov2.ConditionApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("Exception"):
return &kyvernov2.ExceptionApplyConfiguration{}
+ case v2.SchemeGroupVersion.WithKind("MatchResources"):
+ return &kyvernov2.MatchResourcesApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("PolicyException"):
return &kyvernov2.PolicyExceptionApplyConfiguration{}
case v2.SchemeGroupVersion.WithKind("PolicyExceptionSpec"):
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go
new file mode 100644
index 0000000000..6203a0498f
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/cleanuppolicy.go
@@ -0,0 +1,195 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ "context"
+ "time"
+
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// CleanupPoliciesGetter has a method to return a CleanupPolicyInterface.
+// A group's client should implement this interface.
+type CleanupPoliciesGetter interface {
+ CleanupPolicies(namespace string) CleanupPolicyInterface
+}
+
+// CleanupPolicyInterface has methods to work with CleanupPolicy resources.
+type CleanupPolicyInterface interface {
+ Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (*v2.CleanupPolicy, error)
+ Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error)
+ UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.CleanupPolicy, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v2.CleanupPolicyList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error)
+ CleanupPolicyExpansion
+}
+
+// cleanupPolicies implements CleanupPolicyInterface
+type cleanupPolicies struct {
+ client rest.Interface
+ ns string
+}
+
+// newCleanupPolicies returns a CleanupPolicies
+func newCleanupPolicies(c *KyvernoV2Client, namespace string) *cleanupPolicies {
+ return &cleanupPolicies{
+ client: c.RESTClient(),
+ ns: namespace,
+ }
+}
+
+// Get takes name of the cleanupPolicy, and returns the corresponding cleanupPolicy object, and an error if there is any.
+func (c *cleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.CleanupPolicy, err error) {
+ result = &v2.CleanupPolicy{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of CleanupPolicies that match those selectors.
+func (c *cleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.CleanupPolicyList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v2.CleanupPolicyList{}
+ err = c.client.Get().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested cleanupPolicies.
+func (c *cleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a cleanupPolicy and creates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *cleanupPolicies) Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (result *v2.CleanupPolicy, err error) {
+ result = &v2.CleanupPolicy{}
+ err = c.client.Post().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(cleanupPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a cleanupPolicy and updates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *cleanupPolicies) Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) {
+ result = &v2.CleanupPolicy{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ Name(cleanupPolicy.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(cleanupPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *cleanupPolicies) UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) {
+ result = &v2.CleanupPolicy{}
+ err = c.client.Put().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ Name(cleanupPolicy.Name).
+ SubResource("status").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(cleanupPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the cleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *cleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *cleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched cleanupPolicy.
+func (c *cleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) {
+ result = &v2.CleanupPolicy{}
+ err = c.client.Patch(pt).
+ Namespace(c.ns).
+ Resource("cleanuppolicies").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go
new file mode 100644
index 0000000000..709a8fb6be
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/clustercleanuppolicy.go
@@ -0,0 +1,184 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ "context"
+ "time"
+
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ scheme "github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ rest "k8s.io/client-go/rest"
+)
+
+// ClusterCleanupPoliciesGetter has a method to return a ClusterCleanupPolicyInterface.
+// A group's client should implement this interface.
+type ClusterCleanupPoliciesGetter interface {
+ ClusterCleanupPolicies() ClusterCleanupPolicyInterface
+}
+
+// ClusterCleanupPolicyInterface has methods to work with ClusterCleanupPolicy resources.
+type ClusterCleanupPolicyInterface interface {
+ Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (*v2.ClusterCleanupPolicy, error)
+ Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error)
+ UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error)
+ Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+ DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+ Get(ctx context.Context, name string, opts v1.GetOptions) (*v2.ClusterCleanupPolicy, error)
+ List(ctx context.Context, opts v1.ListOptions) (*v2.ClusterCleanupPolicyList, error)
+ Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+ Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error)
+ ClusterCleanupPolicyExpansion
+}
+
+// clusterCleanupPolicies implements ClusterCleanupPolicyInterface
+type clusterCleanupPolicies struct {
+ client rest.Interface
+}
+
+// newClusterCleanupPolicies returns a ClusterCleanupPolicies
+func newClusterCleanupPolicies(c *KyvernoV2Client) *clusterCleanupPolicies {
+ return &clusterCleanupPolicies{
+ client: c.RESTClient(),
+ }
+}
+
+// Get takes name of the clusterCleanupPolicy, and returns the corresponding clusterCleanupPolicy object, and an error if there is any.
+func (c *clusterCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ result = &v2.ClusterCleanupPolicy{}
+ err = c.client.Get().
+ Resource("clustercleanuppolicies").
+ Name(name).
+ VersionedParams(&options, scheme.ParameterCodec).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// List takes label and field selectors, and returns the list of ClusterCleanupPolicies that match those selectors.
+func (c *clusterCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.ClusterCleanupPolicyList, err error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ result = &v2.ClusterCleanupPolicyList{}
+ err = c.client.Get().
+ Resource("clustercleanuppolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Watch returns a watch.Interface that watches the requested clusterCleanupPolicies.
+func (c *clusterCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ var timeout time.Duration
+ if opts.TimeoutSeconds != nil {
+ timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+ }
+ opts.Watch = true
+ return c.client.Get().
+ Resource("clustercleanuppolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Watch(ctx)
+}
+
+// Create takes the representation of a clusterCleanupPolicy and creates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *clusterCleanupPolicies) Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ result = &v2.ClusterCleanupPolicy{}
+ err = c.client.Post().
+ Resource("clustercleanuppolicies").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(clusterCleanupPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Update takes the representation of a clusterCleanupPolicy and updates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *clusterCleanupPolicies) Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ result = &v2.ClusterCleanupPolicy{}
+ err = c.client.Put().
+ Resource("clustercleanuppolicies").
+ Name(clusterCleanupPolicy.Name).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(clusterCleanupPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *clusterCleanupPolicies) UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ result = &v2.ClusterCleanupPolicy{}
+ err = c.client.Put().
+ Resource("clustercleanuppolicies").
+ Name(clusterCleanupPolicy.Name).
+ SubResource("status").
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(clusterCleanupPolicy).
+ Do(ctx).
+ Into(result)
+ return
+}
+
+// Delete takes name of the clusterCleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *clusterCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ return c.client.Delete().
+ Resource("clustercleanuppolicies").
+ Name(name).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *clusterCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ var timeout time.Duration
+ if listOpts.TimeoutSeconds != nil {
+ timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+ }
+ return c.client.Delete().
+ Resource("clustercleanuppolicies").
+ VersionedParams(&listOpts, scheme.ParameterCodec).
+ Timeout(timeout).
+ Body(&opts).
+ Do(ctx).
+ Error()
+}
+
+// Patch applies the patch and returns the patched clusterCleanupPolicy.
+func (c *clusterCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) {
+ result = &v2.ClusterCleanupPolicy{}
+ err = c.client.Patch(pt).
+ Resource("clustercleanuppolicies").
+ Name(name).
+ SubResource(subresources...).
+ VersionedParams(&opts, scheme.ParameterCodec).
+ Body(data).
+ Do(ctx).
+ Into(result)
+ return
+}
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go
new file mode 100644
index 0000000000..4ce42e6997
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_cleanuppolicy.go
@@ -0,0 +1,141 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+)
+
+// FakeCleanupPolicies implements CleanupPolicyInterface
+type FakeCleanupPolicies struct {
+ Fake *FakeKyvernoV2
+ ns string
+}
+
+var cleanuppoliciesResource = v2.SchemeGroupVersion.WithResource("cleanuppolicies")
+
+var cleanuppoliciesKind = v2.SchemeGroupVersion.WithKind("CleanupPolicy")
+
+// Get takes name of the cleanupPolicy, and returns the corresponding cleanupPolicy object, and an error if there is any.
+func (c *FakeCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.CleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewGetAction(cleanuppoliciesResource, c.ns, name), &v2.CleanupPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.CleanupPolicy), err
+}
+
+// List takes label and field selectors, and returns the list of CleanupPolicies that match those selectors.
+func (c *FakeCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.CleanupPolicyList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewListAction(cleanuppoliciesResource, cleanuppoliciesKind, c.ns, opts), &v2.CleanupPolicyList{})
+
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v2.CleanupPolicyList{ListMeta: obj.(*v2.CleanupPolicyList).ListMeta}
+ for _, item := range obj.(*v2.CleanupPolicyList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested cleanupPolicies.
+func (c *FakeCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewWatchAction(cleanuppoliciesResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a cleanupPolicy and creates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *FakeCleanupPolicies) Create(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.CreateOptions) (result *v2.CleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewCreateAction(cleanuppoliciesResource, c.ns, cleanupPolicy), &v2.CleanupPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.CleanupPolicy), err
+}
+
+// Update takes the representation of a cleanupPolicy and updates it. Returns the server's representation of the cleanupPolicy, and an error, if there is any.
+func (c *FakeCleanupPolicies) Update(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (result *v2.CleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateAction(cleanuppoliciesResource, c.ns, cleanupPolicy), &v2.CleanupPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.CleanupPolicy), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeCleanupPolicies) UpdateStatus(ctx context.Context, cleanupPolicy *v2.CleanupPolicy, opts v1.UpdateOptions) (*v2.CleanupPolicy, error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewUpdateSubresourceAction(cleanuppoliciesResource, "status", c.ns, cleanupPolicy), &v2.CleanupPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.CleanupPolicy), err
+}
+
+// Delete takes name of the cleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *FakeCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewDeleteActionWithOptions(cleanuppoliciesResource, c.ns, name, opts), &v2.CleanupPolicy{})
+
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewDeleteCollectionAction(cleanuppoliciesResource, c.ns, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v2.CleanupPolicyList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched cleanupPolicy.
+func (c *FakeCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.CleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewPatchSubresourceAction(cleanuppoliciesResource, c.ns, name, pt, data, subresources...), &v2.CleanupPolicy{})
+
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.CleanupPolicy), err
+}
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go
new file mode 100644
index 0000000000..f8562d7c74
--- /dev/null
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_clustercleanuppolicy.go
@@ -0,0 +1,132 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+ "context"
+
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ labels "k8s.io/apimachinery/pkg/labels"
+ types "k8s.io/apimachinery/pkg/types"
+ watch "k8s.io/apimachinery/pkg/watch"
+ testing "k8s.io/client-go/testing"
+)
+
+// FakeClusterCleanupPolicies implements ClusterCleanupPolicyInterface
+type FakeClusterCleanupPolicies struct {
+ Fake *FakeKyvernoV2
+}
+
+var clustercleanuppoliciesResource = v2.SchemeGroupVersion.WithResource("clustercleanuppolicies")
+
+var clustercleanuppoliciesKind = v2.SchemeGroupVersion.WithKind("ClusterCleanupPolicy")
+
+// Get takes name of the clusterCleanupPolicy, and returns the corresponding clusterCleanupPolicy object, and an error if there is any.
+func (c *FakeClusterCleanupPolicies) Get(ctx context.Context, name string, options v1.GetOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootGetAction(clustercleanuppoliciesResource, name), &v2.ClusterCleanupPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// List takes label and field selectors, and returns the list of ClusterCleanupPolicies that match those selectors.
+func (c *FakeClusterCleanupPolicies) List(ctx context.Context, opts v1.ListOptions) (result *v2.ClusterCleanupPolicyList, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootListAction(clustercleanuppoliciesResource, clustercleanuppoliciesKind, opts), &v2.ClusterCleanupPolicyList{})
+ if obj == nil {
+ return nil, err
+ }
+
+ label, _, _ := testing.ExtractFromListOptions(opts)
+ if label == nil {
+ label = labels.Everything()
+ }
+ list := &v2.ClusterCleanupPolicyList{ListMeta: obj.(*v2.ClusterCleanupPolicyList).ListMeta}
+ for _, item := range obj.(*v2.ClusterCleanupPolicyList).Items {
+ if label.Matches(labels.Set(item.Labels)) {
+ list.Items = append(list.Items, item)
+ }
+ }
+ return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested clusterCleanupPolicies.
+func (c *FakeClusterCleanupPolicies) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+ return c.Fake.
+ InvokesWatch(testing.NewRootWatchAction(clustercleanuppoliciesResource, opts))
+}
+
+// Create takes the representation of a clusterCleanupPolicy and creates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *FakeClusterCleanupPolicies) Create(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.CreateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootCreateAction(clustercleanuppoliciesResource, clusterCleanupPolicy), &v2.ClusterCleanupPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// Update takes the representation of a clusterCleanupPolicy and updates it. Returns the server's representation of the clusterCleanupPolicy, and an error, if there is any.
+func (c *FakeClusterCleanupPolicies) Update(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (result *v2.ClusterCleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootUpdateAction(clustercleanuppoliciesResource, clusterCleanupPolicy), &v2.ClusterCleanupPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// UpdateStatus was generated because the type contains a Status member.
+// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+func (c *FakeClusterCleanupPolicies) UpdateStatus(ctx context.Context, clusterCleanupPolicy *v2.ClusterCleanupPolicy, opts v1.UpdateOptions) (*v2.ClusterCleanupPolicy, error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootUpdateSubresourceAction(clustercleanuppoliciesResource, "status", clusterCleanupPolicy), &v2.ClusterCleanupPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.ClusterCleanupPolicy), err
+}
+
+// Delete takes name of the clusterCleanupPolicy and deletes it. Returns an error if one occurs.
+func (c *FakeClusterCleanupPolicies) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+ _, err := c.Fake.
+ Invokes(testing.NewRootDeleteActionWithOptions(clustercleanuppoliciesResource, name, opts), &v2.ClusterCleanupPolicy{})
+ return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeClusterCleanupPolicies) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+ action := testing.NewRootDeleteCollectionAction(clustercleanuppoliciesResource, listOpts)
+
+ _, err := c.Fake.Invokes(action, &v2.ClusterCleanupPolicyList{})
+ return err
+}
+
+// Patch applies the patch and returns the patched clusterCleanupPolicy.
+func (c *FakeClusterCleanupPolicies) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v2.ClusterCleanupPolicy, err error) {
+ obj, err := c.Fake.
+ Invokes(testing.NewRootPatchSubresourceAction(clustercleanuppoliciesResource, name, pt, data, subresources...), &v2.ClusterCleanupPolicy{})
+ if obj == nil {
+ return nil, err
+ }
+ return obj.(*v2.ClusterCleanupPolicy), err
+}
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go
index 000f9d06d0..4b1c8f3f8b 100644
--- a/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/fake/fake_kyverno_client.go
@@ -36,6 +36,10 @@ func (c *FakeKyvernoV2) BackgroundScanReports(namespace string) v2.BackgroundSca
return &FakeBackgroundScanReports{c, namespace}
}
+func (c *FakeKyvernoV2) CleanupPolicies(namespace string) v2.CleanupPolicyInterface {
+ return &FakeCleanupPolicies{c, namespace}
+}
+
func (c *FakeKyvernoV2) ClusterAdmissionReports() v2.ClusterAdmissionReportInterface {
return &FakeClusterAdmissionReports{c}
}
@@ -44,6 +48,10 @@ func (c *FakeKyvernoV2) ClusterBackgroundScanReports() v2.ClusterBackgroundScanR
return &FakeClusterBackgroundScanReports{c}
}
+func (c *FakeKyvernoV2) ClusterCleanupPolicies() v2.ClusterCleanupPolicyInterface {
+ return &FakeClusterCleanupPolicies{c}
+}
+
func (c *FakeKyvernoV2) PolicyExceptions(namespace string) v2.PolicyExceptionInterface {
return &FakePolicyExceptions{c, namespace}
}
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go b/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go
index c2310d3094..12949a2d8a 100644
--- a/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/generated_expansion.go
@@ -22,8 +22,12 @@ type AdmissionReportExpansion interface{}
type BackgroundScanReportExpansion interface{}
+type CleanupPolicyExpansion interface{}
+
type ClusterAdmissionReportExpansion interface{}
type ClusterBackgroundScanReportExpansion interface{}
+type ClusterCleanupPolicyExpansion interface{}
+
type PolicyExceptionExpansion interface{}
diff --git a/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go
index 716a42e189..a8c3bd43b2 100644
--- a/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go
+++ b/pkg/client/clientset/versioned/typed/kyverno/v2/kyverno_client.go
@@ -30,8 +30,10 @@ type KyvernoV2Interface interface {
RESTClient() rest.Interface
AdmissionReportsGetter
BackgroundScanReportsGetter
+ CleanupPoliciesGetter
ClusterAdmissionReportsGetter
ClusterBackgroundScanReportsGetter
+ ClusterCleanupPoliciesGetter
PolicyExceptionsGetter
}
@@ -48,6 +50,10 @@ func (c *KyvernoV2Client) BackgroundScanReports(namespace string) BackgroundScan
return newBackgroundScanReports(c, namespace)
}
+func (c *KyvernoV2Client) CleanupPolicies(namespace string) CleanupPolicyInterface {
+ return newCleanupPolicies(c, namespace)
+}
+
func (c *KyvernoV2Client) ClusterAdmissionReports() ClusterAdmissionReportInterface {
return newClusterAdmissionReports(c)
}
@@ -56,6 +62,10 @@ func (c *KyvernoV2Client) ClusterBackgroundScanReports() ClusterBackgroundScanRe
return newClusterBackgroundScanReports(c)
}
+func (c *KyvernoV2Client) ClusterCleanupPolicies() ClusterCleanupPolicyInterface {
+ return newClusterCleanupPolicies(c)
+}
+
func (c *KyvernoV2Client) PolicyExceptions(namespace string) PolicyExceptionInterface {
return newPolicyExceptions(c, namespace)
}
diff --git a/pkg/client/informers/externalversions/generic.go b/pkg/client/informers/externalversions/generic.go
index b6a853eb02..e50a52f7b8 100644
--- a/pkg/client/informers/externalversions/generic.go
+++ b/pkg/client/informers/externalversions/generic.go
@@ -83,10 +83,14 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().AdmissionReports().Informer()}, nil
case v2.SchemeGroupVersion.WithResource("backgroundscanreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().BackgroundScanReports().Informer()}, nil
+ case v2.SchemeGroupVersion.WithResource("cleanuppolicies"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().CleanupPolicies().Informer()}, nil
case v2.SchemeGroupVersion.WithResource("clusteradmissionreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterAdmissionReports().Informer()}, nil
case v2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterBackgroundScanReports().Informer()}, nil
+ case v2.SchemeGroupVersion.WithResource("clustercleanuppolicies"):
+ return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().ClusterCleanupPolicies().Informer()}, nil
case v2.SchemeGroupVersion.WithResource("policyexceptions"):
return &genericInformer{resource: resource.GroupResource(), informer: f.Kyverno().V2().PolicyExceptions().Informer()}, nil
diff --git a/pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go b/pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go
new file mode 100644
index 0000000000..7ee4192bcc
--- /dev/null
+++ b/pkg/client/informers/externalversions/kyverno/v2/cleanuppolicy.go
@@ -0,0 +1,90 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ "context"
+ time "time"
+
+ kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+ internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+ v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// CleanupPolicyInformer provides access to a shared informer and lister for
+// CleanupPolicies.
+type CleanupPolicyInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v2.CleanupPolicyLister
+}
+
+type cleanupPolicyInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+ namespace string
+}
+
+// NewCleanupPolicyInformer constructs a new informer for CleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewCleanupPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredCleanupPolicyInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredCleanupPolicyInformer constructs a new informer for CleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredCleanupPolicyInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.KyvernoV2().CleanupPolicies(namespace).List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.KyvernoV2().CleanupPolicies(namespace).Watch(context.TODO(), options)
+ },
+ },
+ &kyvernov2.CleanupPolicy{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *cleanupPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredCleanupPolicyInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *cleanupPolicyInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&kyvernov2.CleanupPolicy{}, f.defaultInformer)
+}
+
+func (f *cleanupPolicyInformer) Lister() v2.CleanupPolicyLister {
+ return v2.NewCleanupPolicyLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go b/pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go
new file mode 100644
index 0000000000..8b6b1916b0
--- /dev/null
+++ b/pkg/client/informers/externalversions/kyverno/v2/clustercleanuppolicy.go
@@ -0,0 +1,89 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ "context"
+ time "time"
+
+ kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ versioned "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+ internalinterfaces "github.com/kyverno/kyverno/pkg/client/informers/externalversions/internalinterfaces"
+ v2 "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
+ v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ watch "k8s.io/apimachinery/pkg/watch"
+ cache "k8s.io/client-go/tools/cache"
+)
+
+// ClusterCleanupPolicyInformer provides access to a shared informer and lister for
+// ClusterCleanupPolicies.
+type ClusterCleanupPolicyInformer interface {
+ Informer() cache.SharedIndexInformer
+ Lister() v2.ClusterCleanupPolicyLister
+}
+
+type clusterCleanupPolicyInformer struct {
+ factory internalinterfaces.SharedInformerFactory
+ tweakListOptions internalinterfaces.TweakListOptionsFunc
+}
+
+// NewClusterCleanupPolicyInformer constructs a new informer for ClusterCleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewClusterCleanupPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+ return NewFilteredClusterCleanupPolicyInformer(client, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredClusterCleanupPolicyInformer constructs a new informer for ClusterCleanupPolicy type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredClusterCleanupPolicyInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+ return cache.NewSharedIndexInformer(
+ &cache.ListWatch{
+ ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.KyvernoV2().ClusterCleanupPolicies().List(context.TODO(), options)
+ },
+ WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+ if tweakListOptions != nil {
+ tweakListOptions(&options)
+ }
+ return client.KyvernoV2().ClusterCleanupPolicies().Watch(context.TODO(), options)
+ },
+ },
+ &kyvernov2.ClusterCleanupPolicy{},
+ resyncPeriod,
+ indexers,
+ )
+}
+
+func (f *clusterCleanupPolicyInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+ return NewFilteredClusterCleanupPolicyInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *clusterCleanupPolicyInformer) Informer() cache.SharedIndexInformer {
+ return f.factory.InformerFor(&kyvernov2.ClusterCleanupPolicy{}, f.defaultInformer)
+}
+
+func (f *clusterCleanupPolicyInformer) Lister() v2.ClusterCleanupPolicyLister {
+ return v2.NewClusterCleanupPolicyLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/client/informers/externalversions/kyverno/v2/interface.go b/pkg/client/informers/externalversions/kyverno/v2/interface.go
index 3502ee6ed3..5c1e408f35 100644
--- a/pkg/client/informers/externalversions/kyverno/v2/interface.go
+++ b/pkg/client/informers/externalversions/kyverno/v2/interface.go
@@ -28,10 +28,14 @@ type Interface interface {
AdmissionReports() AdmissionReportInformer
// BackgroundScanReports returns a BackgroundScanReportInformer.
BackgroundScanReports() BackgroundScanReportInformer
+ // CleanupPolicies returns a CleanupPolicyInformer.
+ CleanupPolicies() CleanupPolicyInformer
// ClusterAdmissionReports returns a ClusterAdmissionReportInformer.
ClusterAdmissionReports() ClusterAdmissionReportInformer
// ClusterBackgroundScanReports returns a ClusterBackgroundScanReportInformer.
ClusterBackgroundScanReports() ClusterBackgroundScanReportInformer
+ // ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer.
+ ClusterCleanupPolicies() ClusterCleanupPolicyInformer
// PolicyExceptions returns a PolicyExceptionInformer.
PolicyExceptions() PolicyExceptionInformer
}
@@ -57,6 +61,11 @@ func (v *version) BackgroundScanReports() BackgroundScanReportInformer {
return &backgroundScanReportInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
}
+// CleanupPolicies returns a CleanupPolicyInformer.
+func (v *version) CleanupPolicies() CleanupPolicyInformer {
+ return &cleanupPolicyInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
// ClusterAdmissionReports returns a ClusterAdmissionReportInformer.
func (v *version) ClusterAdmissionReports() ClusterAdmissionReportInformer {
return &clusterAdmissionReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
@@ -67,6 +76,11 @@ func (v *version) ClusterBackgroundScanReports() ClusterBackgroundScanReportInfo
return &clusterBackgroundScanReportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
}
+// ClusterCleanupPolicies returns a ClusterCleanupPolicyInformer.
+func (v *version) ClusterCleanupPolicies() ClusterCleanupPolicyInformer {
+ return &clusterCleanupPolicyInformer{factory: v.factory, tweakListOptions: v.tweakListOptions}
+}
+
// PolicyExceptions returns a PolicyExceptionInformer.
func (v *version) PolicyExceptions() PolicyExceptionInformer {
return &policyExceptionInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
diff --git a/pkg/client/listers/kyverno/v2/cleanuppolicy.go b/pkg/client/listers/kyverno/v2/cleanuppolicy.go
new file mode 100644
index 0000000000..ad79c4126d
--- /dev/null
+++ b/pkg/client/listers/kyverno/v2/cleanuppolicy.go
@@ -0,0 +1,99 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// CleanupPolicyLister helps list CleanupPolicies.
+// All objects returned here must be treated as read-only.
+type CleanupPolicyLister interface {
+ // List lists all CleanupPolicies in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error)
+ // CleanupPolicies returns an object that can list and get CleanupPolicies.
+ CleanupPolicies(namespace string) CleanupPolicyNamespaceLister
+ CleanupPolicyListerExpansion
+}
+
+// cleanupPolicyLister implements the CleanupPolicyLister interface.
+type cleanupPolicyLister struct {
+ indexer cache.Indexer
+}
+
+// NewCleanupPolicyLister returns a new CleanupPolicyLister.
+func NewCleanupPolicyLister(indexer cache.Indexer) CleanupPolicyLister {
+ return &cleanupPolicyLister{indexer: indexer}
+}
+
+// List lists all CleanupPolicies in the indexer.
+func (s *cleanupPolicyLister) List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v2.CleanupPolicy))
+ })
+ return ret, err
+}
+
+// CleanupPolicies returns an object that can list and get CleanupPolicies.
+func (s *cleanupPolicyLister) CleanupPolicies(namespace string) CleanupPolicyNamespaceLister {
+ return cleanupPolicyNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// CleanupPolicyNamespaceLister helps list and get CleanupPolicies.
+// All objects returned here must be treated as read-only.
+type CleanupPolicyNamespaceLister interface {
+ // List lists all CleanupPolicies in the indexer for a given namespace.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error)
+ // Get retrieves the CleanupPolicy from the indexer for a given namespace and name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*v2.CleanupPolicy, error)
+ CleanupPolicyNamespaceListerExpansion
+}
+
+// cleanupPolicyNamespaceLister implements the CleanupPolicyNamespaceLister
+// interface.
+type cleanupPolicyNamespaceLister struct {
+ indexer cache.Indexer
+ namespace string
+}
+
+// List lists all CleanupPolicies in the indexer for a given namespace.
+func (s cleanupPolicyNamespaceLister) List(selector labels.Selector) (ret []*v2.CleanupPolicy, err error) {
+ err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+ ret = append(ret, m.(*v2.CleanupPolicy))
+ })
+ return ret, err
+}
+
+// Get retrieves the CleanupPolicy from the indexer for a given namespace and name.
+func (s cleanupPolicyNamespaceLister) Get(name string) (*v2.CleanupPolicy, error) {
+ obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v2.Resource("cleanuppolicy"), name)
+ }
+ return obj.(*v2.CleanupPolicy), nil
+}
diff --git a/pkg/client/listers/kyverno/v2/clustercleanuppolicy.go b/pkg/client/listers/kyverno/v2/clustercleanuppolicy.go
new file mode 100644
index 0000000000..d54d6a4ec6
--- /dev/null
+++ b/pkg/client/listers/kyverno/v2/clustercleanuppolicy.go
@@ -0,0 +1,68 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v2
+
+import (
+ v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/labels"
+ "k8s.io/client-go/tools/cache"
+)
+
+// ClusterCleanupPolicyLister helps list ClusterCleanupPolicies.
+// All objects returned here must be treated as read-only.
+type ClusterCleanupPolicyLister interface {
+ // List lists all ClusterCleanupPolicies in the indexer.
+ // Objects returned here must be treated as read-only.
+ List(selector labels.Selector) (ret []*v2.ClusterCleanupPolicy, err error)
+ // Get retrieves the ClusterCleanupPolicy from the index for a given name.
+ // Objects returned here must be treated as read-only.
+ Get(name string) (*v2.ClusterCleanupPolicy, error)
+ ClusterCleanupPolicyListerExpansion
+}
+
+// clusterCleanupPolicyLister implements the ClusterCleanupPolicyLister interface.
+type clusterCleanupPolicyLister struct {
+ indexer cache.Indexer
+}
+
+// NewClusterCleanupPolicyLister returns a new ClusterCleanupPolicyLister.
+func NewClusterCleanupPolicyLister(indexer cache.Indexer) ClusterCleanupPolicyLister {
+ return &clusterCleanupPolicyLister{indexer: indexer}
+}
+
+// List lists all ClusterCleanupPolicies in the indexer.
+func (s *clusterCleanupPolicyLister) List(selector labels.Selector) (ret []*v2.ClusterCleanupPolicy, err error) {
+ err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+ ret = append(ret, m.(*v2.ClusterCleanupPolicy))
+ })
+ return ret, err
+}
+
+// Get retrieves the ClusterCleanupPolicy from the index for a given name.
+func (s *clusterCleanupPolicyLister) Get(name string) (*v2.ClusterCleanupPolicy, error) {
+ obj, exists, err := s.indexer.GetByKey(name)
+ if err != nil {
+ return nil, err
+ }
+ if !exists {
+ return nil, errors.NewNotFound(v2.Resource("clustercleanuppolicy"), name)
+ }
+ return obj.(*v2.ClusterCleanupPolicy), nil
+}
diff --git a/pkg/client/listers/kyverno/v2/expansion_generated.go b/pkg/client/listers/kyverno/v2/expansion_generated.go
index a64e291044..ee564de745 100644
--- a/pkg/client/listers/kyverno/v2/expansion_generated.go
+++ b/pkg/client/listers/kyverno/v2/expansion_generated.go
@@ -34,6 +34,14 @@ type BackgroundScanReportListerExpansion interface{}
// BackgroundScanReportNamespaceLister.
type BackgroundScanReportNamespaceListerExpansion interface{}
+// CleanupPolicyListerExpansion allows custom methods to be added to
+// CleanupPolicyLister.
+type CleanupPolicyListerExpansion interface{}
+
+// CleanupPolicyNamespaceListerExpansion allows custom methods to be added to
+// CleanupPolicyNamespaceLister.
+type CleanupPolicyNamespaceListerExpansion interface{}
+
// ClusterAdmissionReportListerExpansion allows custom methods to be added to
// ClusterAdmissionReportLister.
type ClusterAdmissionReportListerExpansion interface{}
@@ -42,6 +50,10 @@ type ClusterAdmissionReportListerExpansion interface{}
// ClusterBackgroundScanReportLister.
type ClusterBackgroundScanReportListerExpansion interface{}
+// ClusterCleanupPolicyListerExpansion allows custom methods to be added to
+// ClusterCleanupPolicyLister.
+type ClusterCleanupPolicyListerExpansion interface{}
+
// PolicyExceptionListerExpansion allows custom methods to be added to
// PolicyExceptionLister.
type PolicyExceptionListerExpansion interface{}
diff --git a/pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go b/pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go
new file mode 100644
index 0000000000..742b870167
--- /dev/null
+++ b/pkg/clients/kyverno/kyvernov2/cleanuppolicies/resource.generated.go
@@ -0,0 +1,373 @@
+package resource
+
+import (
+ context "context"
+ "fmt"
+ "time"
+
+ "github.com/go-logr/logr"
+ github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
+ "github.com/kyverno/kyverno/pkg/metrics"
+ "github.com/kyverno/kyverno/pkg/tracing"
+ "go.opentelemetry.io/otel/trace"
+ "go.uber.org/multierr"
+ k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+ k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
+)
+
+func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+ return &withLogging{inner, logger}
+}
+
+func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+ return &withMetrics{inner, recorder}
+}
+
+func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+ return &withTracing{inner, client, kind}
+}
+
+type withLogging struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface
+ logger logr.Logger
+}
+
+func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Create")
+ ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Create failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Create done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Delete")
+ ret0 := c.inner.Delete(arg0, arg1, arg2)
+ if err := multierr.Combine(ret0); err != nil {
+ logger.Error(err, "Delete failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Delete done", "duration", time.Since(start))
+ }
+ return ret0
+}
+func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "DeleteCollection")
+ ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+ if err := multierr.Combine(ret0); err != nil {
+ logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
+ } else {
+ logger.Info("DeleteCollection done", "duration", time.Since(start))
+ }
+ return ret0
+}
+func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Get")
+ ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Get failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Get done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "List")
+ ret0, ret1 := c.inner.List(arg0, arg1)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "List failed", "duration", time.Since(start))
+ } else {
+ logger.Info("List done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Patch")
+ ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Patch failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Patch done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Update")
+ ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Update failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Update done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "UpdateStatus")
+ ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
+ } else {
+ logger.Info("UpdateStatus done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Watch")
+ ret0, ret1 := c.inner.Watch(arg0, arg1)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Watch failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Watch done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+
+type withMetrics struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface
+ recorder metrics.Recorder
+}
+
+func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "create")
+ return c.inner.Create(arg0, arg1, arg2)
+}
+func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ defer c.recorder.RecordWithContext(arg0, "delete")
+ return c.inner.Delete(arg0, arg1, arg2)
+}
+func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ defer c.recorder.RecordWithContext(arg0, "delete_collection")
+ return c.inner.DeleteCollection(arg0, arg1, arg2)
+}
+func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "get")
+ return c.inner.Get(arg0, arg1, arg2)
+}
+func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) {
+ defer c.recorder.RecordWithContext(arg0, "list")
+ return c.inner.List(arg0, arg1)
+}
+func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "patch")
+ return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+}
+func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "update")
+ return c.inner.Update(arg0, arg1, arg2)
+}
+func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "update_status")
+ return c.inner.UpdateStatus(arg0, arg1, arg2)
+}
+func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ defer c.recorder.RecordWithContext(arg0, "watch")
+ return c.inner.Watch(arg0, arg1)
+}
+
+type withTracing struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface
+ client string
+ kind string
+}
+
+func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Create"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Delete"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0 := c.inner.Delete(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret0)
+ }
+ return ret0
+}
+func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("DeleteCollection"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret0)
+ }
+ return ret0
+}
+func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Get"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicyList, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("List"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.List(arg0, arg1)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Patch"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Update"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.CleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("UpdateStatus"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Watch"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Watch(arg0, arg1)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
diff --git a/pkg/clients/kyverno/kyvernov2/client.generated.go b/pkg/clients/kyverno/kyvernov2/client.generated.go
index 7916acb602..e31b6a81c6 100644
--- a/pkg/clients/kyverno/kyvernov2/client.generated.go
+++ b/pkg/clients/kyverno/kyvernov2/client.generated.go
@@ -5,8 +5,10 @@ import (
github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
admissionreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/admissionreports"
backgroundscanreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/backgroundscanreports"
+ cleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/cleanuppolicies"
clusteradmissionreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clusteradmissionreports"
clusterbackgroundscanreports "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clusterbackgroundscanreports"
+ clustercleanuppolicies "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies"
policyexceptions "github.com/kyverno/kyverno/pkg/clients/kyverno/kyvernov2/policyexceptions"
"github.com/kyverno/kyverno/pkg/metrics"
"k8s.io/client-go/rest"
@@ -41,6 +43,10 @@ func (c *withMetrics) BackgroundScanReports(namespace string) github_com_kyverno
recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "BackgroundScanReport", c.clientType)
return backgroundscanreports.WithMetrics(c.inner.BackgroundScanReports(namespace), recorder)
}
+func (c *withMetrics) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+ recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "CleanupPolicy", c.clientType)
+ return cleanuppolicies.WithMetrics(c.inner.CleanupPolicies(namespace), recorder)
+}
func (c *withMetrics) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface {
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterAdmissionReport", c.clientType)
return clusteradmissionreports.WithMetrics(c.inner.ClusterAdmissionReports(), recorder)
@@ -49,6 +55,10 @@ func (c *withMetrics) ClusterBackgroundScanReports() github_com_kyverno_kyverno_
recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterBackgroundScanReport", c.clientType)
return clusterbackgroundscanreports.WithMetrics(c.inner.ClusterBackgroundScanReports(), recorder)
}
+func (c *withMetrics) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+ recorder := metrics.ClusteredClientQueryRecorder(c.metrics, "ClusterCleanupPolicy", c.clientType)
+ return clustercleanuppolicies.WithMetrics(c.inner.ClusterCleanupPolicies(), recorder)
+}
func (c *withMetrics) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
recorder := metrics.NamespacedClientQueryRecorder(c.metrics, namespace, "PolicyException", c.clientType)
return policyexceptions.WithMetrics(c.inner.PolicyExceptions(namespace), recorder)
@@ -68,12 +78,18 @@ func (c *withTracing) AdmissionReports(namespace string) github_com_kyverno_kyve
func (c *withTracing) BackgroundScanReports(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.BackgroundScanReportInterface {
return backgroundscanreports.WithTracing(c.inner.BackgroundScanReports(namespace), c.client, "BackgroundScanReport")
}
+func (c *withTracing) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+ return cleanuppolicies.WithTracing(c.inner.CleanupPolicies(namespace), c.client, "CleanupPolicy")
+}
func (c *withTracing) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface {
return clusteradmissionreports.WithTracing(c.inner.ClusterAdmissionReports(), c.client, "ClusterAdmissionReport")
}
func (c *withTracing) ClusterBackgroundScanReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterBackgroundScanReportInterface {
return clusterbackgroundscanreports.WithTracing(c.inner.ClusterBackgroundScanReports(), c.client, "ClusterBackgroundScanReport")
}
+func (c *withTracing) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+ return clustercleanuppolicies.WithTracing(c.inner.ClusterCleanupPolicies(), c.client, "ClusterCleanupPolicy")
+}
func (c *withTracing) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return policyexceptions.WithTracing(c.inner.PolicyExceptions(namespace), c.client, "PolicyException")
}
@@ -92,12 +108,18 @@ func (c *withLogging) AdmissionReports(namespace string) github_com_kyverno_kyve
func (c *withLogging) BackgroundScanReports(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.BackgroundScanReportInterface {
return backgroundscanreports.WithLogging(c.inner.BackgroundScanReports(namespace), c.logger.WithValues("resource", "BackgroundScanReports").WithValues("namespace", namespace))
}
+func (c *withLogging) CleanupPolicies(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.CleanupPolicyInterface {
+ return cleanuppolicies.WithLogging(c.inner.CleanupPolicies(namespace), c.logger.WithValues("resource", "CleanupPolicies").WithValues("namespace", namespace))
+}
func (c *withLogging) ClusterAdmissionReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterAdmissionReportInterface {
return clusteradmissionreports.WithLogging(c.inner.ClusterAdmissionReports(), c.logger.WithValues("resource", "ClusterAdmissionReports"))
}
func (c *withLogging) ClusterBackgroundScanReports() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterBackgroundScanReportInterface {
return clusterbackgroundscanreports.WithLogging(c.inner.ClusterBackgroundScanReports(), c.logger.WithValues("resource", "ClusterBackgroundScanReports"))
}
+func (c *withLogging) ClusterCleanupPolicies() github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+ return clustercleanuppolicies.WithLogging(c.inner.ClusterCleanupPolicies(), c.logger.WithValues("resource", "ClusterCleanupPolicies"))
+}
func (c *withLogging) PolicyExceptions(namespace string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.PolicyExceptionInterface {
return policyexceptions.WithLogging(c.inner.PolicyExceptions(namespace), c.logger.WithValues("resource", "PolicyExceptions").WithValues("namespace", namespace))
}
diff --git a/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go b/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go
new file mode 100644
index 0000000000..a14bee1d3f
--- /dev/null
+++ b/pkg/clients/kyverno/kyvernov2/clustercleanuppolicies/resource.generated.go
@@ -0,0 +1,373 @@
+package resource
+
+import (
+ context "context"
+ "fmt"
+ "time"
+
+ "github.com/go-logr/logr"
+ github_com_kyverno_kyverno_api_kyverno_v2 "github.com/kyverno/kyverno/api/kyverno/v2"
+ github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2 "github.com/kyverno/kyverno/pkg/client/clientset/versioned/typed/kyverno/v2"
+ "github.com/kyverno/kyverno/pkg/metrics"
+ "github.com/kyverno/kyverno/pkg/tracing"
+ "go.opentelemetry.io/otel/trace"
+ "go.uber.org/multierr"
+ k8s_io_apimachinery_pkg_apis_meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ k8s_io_apimachinery_pkg_types "k8s.io/apimachinery/pkg/types"
+ k8s_io_apimachinery_pkg_watch "k8s.io/apimachinery/pkg/watch"
+)
+
+func WithLogging(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, logger logr.Logger) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+ return &withLogging{inner, logger}
+}
+
+func WithMetrics(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, recorder metrics.Recorder) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+ return &withMetrics{inner, recorder}
+}
+
+func WithTracing(inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface, client, kind string) github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface {
+ return &withTracing{inner, client, kind}
+}
+
+type withLogging struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface
+ logger logr.Logger
+}
+
+func (c *withLogging) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Create")
+ ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Create failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Create done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Delete")
+ ret0 := c.inner.Delete(arg0, arg1, arg2)
+ if err := multierr.Combine(ret0); err != nil {
+ logger.Error(err, "Delete failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Delete done", "duration", time.Since(start))
+ }
+ return ret0
+}
+func (c *withLogging) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "DeleteCollection")
+ ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+ if err := multierr.Combine(ret0); err != nil {
+ logger.Error(err, "DeleteCollection failed", "duration", time.Since(start))
+ } else {
+ logger.Info("DeleteCollection done", "duration", time.Since(start))
+ }
+ return ret0
+}
+func (c *withLogging) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Get")
+ ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Get failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Get done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "List")
+ ret0, ret1 := c.inner.List(arg0, arg1)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "List failed", "duration", time.Since(start))
+ } else {
+ logger.Info("List done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Patch")
+ ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Patch failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Patch done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Update")
+ ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Update failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Update done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "UpdateStatus")
+ ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "UpdateStatus failed", "duration", time.Since(start))
+ } else {
+ logger.Info("UpdateStatus done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+func (c *withLogging) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ start := time.Now()
+ logger := c.logger.WithValues("operation", "Watch")
+ ret0, ret1 := c.inner.Watch(arg0, arg1)
+ if err := multierr.Combine(ret1); err != nil {
+ logger.Error(err, "Watch failed", "duration", time.Since(start))
+ } else {
+ logger.Info("Watch done", "duration", time.Since(start))
+ }
+ return ret0, ret1
+}
+
+type withMetrics struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface
+ recorder metrics.Recorder
+}
+
+func (c *withMetrics) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "create")
+ return c.inner.Create(arg0, arg1, arg2)
+}
+func (c *withMetrics) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ defer c.recorder.RecordWithContext(arg0, "delete")
+ return c.inner.Delete(arg0, arg1, arg2)
+}
+func (c *withMetrics) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ defer c.recorder.RecordWithContext(arg0, "delete_collection")
+ return c.inner.DeleteCollection(arg0, arg1, arg2)
+}
+func (c *withMetrics) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "get")
+ return c.inner.Get(arg0, arg1, arg2)
+}
+func (c *withMetrics) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) {
+ defer c.recorder.RecordWithContext(arg0, "list")
+ return c.inner.List(arg0, arg1)
+}
+func (c *withMetrics) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "patch")
+ return c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+}
+func (c *withMetrics) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "update")
+ return c.inner.Update(arg0, arg1, arg2)
+}
+func (c *withMetrics) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ defer c.recorder.RecordWithContext(arg0, "update_status")
+ return c.inner.UpdateStatus(arg0, arg1, arg2)
+}
+func (c *withMetrics) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ defer c.recorder.RecordWithContext(arg0, "watch")
+ return c.inner.Watch(arg0, arg1)
+}
+
+type withTracing struct {
+ inner github_com_kyverno_kyverno_pkg_client_clientset_versioned_typed_kyverno_v2.ClusterCleanupPolicyInterface
+ client string
+ kind string
+}
+
+func (c *withTracing) Create(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.CreateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Create"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Create"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Create(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Delete(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions) error {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Delete"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Delete"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0 := c.inner.Delete(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret0)
+ }
+ return ret0
+}
+func (c *withTracing) DeleteCollection(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.DeleteOptions, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) error {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "DeleteCollection"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("DeleteCollection"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0 := c.inner.DeleteCollection(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret0)
+ }
+ return ret0
+}
+func (c *withTracing) Get(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.GetOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Get"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Get"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Get(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) List(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicyList, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "List"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("List"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.List(arg0, arg1)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Patch(arg0 context.Context, arg1 string, arg2 k8s_io_apimachinery_pkg_types.PatchType, arg3 []uint8, arg4 k8s_io_apimachinery_pkg_apis_meta_v1.PatchOptions, arg5 ...string) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Patch"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Patch"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Patch(arg0, arg1, arg2, arg3, arg4, arg5...)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Update(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Update"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Update"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Update(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) UpdateStatus(arg0 context.Context, arg1 *github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, arg2 k8s_io_apimachinery_pkg_apis_meta_v1.UpdateOptions) (*github_com_kyverno_kyverno_api_kyverno_v2.ClusterCleanupPolicy, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "UpdateStatus"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("UpdateStatus"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.UpdateStatus(arg0, arg1, arg2)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
+func (c *withTracing) Watch(arg0 context.Context, arg1 k8s_io_apimachinery_pkg_apis_meta_v1.ListOptions) (k8s_io_apimachinery_pkg_watch.Interface, error) {
+ var span trace.Span
+ if tracing.IsInSpan(arg0) {
+ arg0, span = tracing.StartChildSpan(
+ arg0,
+ "",
+ fmt.Sprintf("KUBE %s/%s/%s", c.client, c.kind, "Watch"),
+ trace.WithAttributes(
+ tracing.KubeClientGroupKey.String(c.client),
+ tracing.KubeClientKindKey.String(c.kind),
+ tracing.KubeClientOperationKey.String("Watch"),
+ ),
+ )
+ defer span.End()
+ }
+ ret0, ret1 := c.inner.Watch(arg0, arg1)
+ if span != nil {
+ tracing.SetSpanStatus(span, ret1)
+ }
+ return ret0, ret1
+}
diff --git a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml
index 9474a233f4..ae76685ce1 100644
--- a/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml
+++ b/test/conformance/chainsaw/generate/validation/clusterpolicy/target-namespace-scope/policy-pass-3.yaml
@@ -27,7 +27,7 @@ spec:
kinds:
- PolicyException
generate:
- apiVersion: kyverno.io/v2beta1
+ apiVersion: kyverno.io/v2
kind: ClusterCleanupPolicy
name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }}
synchronize: false